What is Halloware ransomware? And how does it execute its attack?
Halloware ransomware is a file-encrypting virus created by an individual who goes by an online name “Luc1F3R”. This crypto-malware was first observed on December 6, 2017, which seems to be currently in development. Its source code is for sale for the measly amount of $40. This ransomware is being advertised on the Dark Web which security experts have purchased to further analyze the ransomware threat. It seems that the website advertising and distributing this threat is not properly protected, making it possible for security experts to get access and crack the Halloware ransomware code if it ever ended up executing widespread attacks.
In its attack, Halloware ransomware behaves just like a typical ransomware threat – it mostly targets user-generated files and encrypts them using a combination of AES and RSA encryption algorithms to make the files inaccessible. According to researchers, it targets files with the following extensions:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa.wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .mkv, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .rar, .zip, .7zip, .jpg, .jpeg, .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd
Halloware ransomware’s attack is pretty generic which is typical. It adds the prefix “Lucifer” at the beginning of every file’s name unlike other ransomware that mostly add new file extension to the affected files. After its encryption attack, Halloware ransomware will demand a ransom from its victims by displaying a program window and changing the desktop image. It contains the following context on its program window:
“Your Data Have Been Encrypted
If You Need Your Data Back
So Go Here
hxxp://zinrm67igbdcdy5h.onion”
While it displays the following message in the desktop image it had modified:
“You are hacked
your all files folder have been encrypted its happen when you watch too much porn or do some illegal work if you want your files back you have to pay 100 dollars in bitcoin
visit this to contact us for payment and key or decrypter info
hxxp://zinrm67igbdcdy5h.onion open this link in tor browser and get ur files back.”
In addition, the crypto-malware also displays a pop-up window which has a scary clown picture and a link to a ransom payment website. However, it is notable that the ransom amount seems to be increased in the payment website – instead of $100, users are asked to pay $150 in Bitcoins.
The good thing is that there are no attacks by Halloware ransomware that has been reported yet so it’s safe to assume that it hasn’t victimized users as of this moment. But it’s always good to be one step ahead just in case it starts to attack the cyber community.
How does Halloware ransomware spread?
Although Halloware ransomware is not being actively spread yet, it is found to be spreading in the Dark Web which is not something new to this kind of threat. At the time of this writing, the ransomware’s developer promotes its file-encrypting program not only on the Dark Web but also on two other internet sites which includes YouTube.
Follow the given instructions below to terminate Halloware ransomware from your computer.
Step1. Close the program window containing the ransom note.
Step2. Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step3. Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to Halloware ransomware.
Step4. After that, close the Task Manager.
Step5. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step6. Under the list of installed programs, look for Halloware ransomware or anything similar and then uninstall it.
Step7. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step8. Navigate to the following locations below and look for Halloware ransomware’s malicious and other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step9. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step10. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step11. Navigate to the following path:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step12. Delete the registry keys and sub-keys created by Halloware ransomware.
Step13. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Halloware Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Halloware ransomware hasn’t deleted the Halloware copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that Halloware ransomware is completely removed using the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.