Herbst Ransomware

We would like to inform you about a new ransomware that will soon start wreaking havoc on unprotected computers. Herbst Ransomware is the name of this infection, and you must remove it if it happens to enter your computer. It is set to encrypt your valuable files and ask for a modest ransom to decrypt them. We want to stress that this particular infection is still in its beta stage of development, and it is not yet completed. Nevertheless, its developers thought it would be a good idea to release the unfinished malware to see how anti-malware and anti-virus programs react to it. Indeed, some anti-malware tools already detect and delete it.

The most obvious trait about this ransomware is that it targets German-speaking users. Therefore, almost all of the text presented by this infection is written in German. Unfortunately, it is not yet known how Herbst Ransomware is distributed, but we assume that its developers distribute it via email spam that is sent from a remote server. The emails are sent to random email addresses, probably obtained from other shady software developers. The text of the email is set to give you the impression that it is legitimate, and it may be disguised as a business-related inquiry, invoice or something along those lines. In any case, the email contains an attachment that may be an executable file disguised as a PDF file as well as a self-extracting archive. Whatever the case may be, when you open the file it drops this ransomware’s executable to a particular location and launches it.

We have found that when launched Herbst Ransomware will scan particular directories for files of interest. We have found that it will encrypt files located on the desktop and in My Pictures and My Music folders. We believe that it has been programmed to encrypt certain file formats that are bound to contain personal and, thus, valuable information. Also, it uses the AES-256 encryption algorithm which is one of the most secure encryption methods out there. Therefore, it is impossible to crack without the appropriate decryption key that is in the hands of this infection’s developers. While encrypting the files, this ransomware adds the .herbst extension to the end of the filename. Once the encryption is complete, it will launch a small window with the ransom note in German.

The developers ask you pay a measly ransom of 0.1 BTC, which is $53.80 USD. Note that the developers want you to pay the ransom in Bitcoins and wants you to send them to their Bitcoin wallet at 18uM9JA1dZgvsgAaeeW2XZK13dTbk1jzWq. Even though the random is not outrageous, we do not recommend that you pay it because you might not receive the decryption key. As mentioned in the introduction, Herbst Ransomware is in its beta development stage, and research has shown that it has certain functions that are not active yet. Its code was written in the C# language. Therefore, it indicates that it has functions that it does not call them. The Encrypt function is said to encrypt the AES key before sending it to the Command and Control (C&C.) the function Unlock should decrypt the incoming traffic from the C&C, and the Http function should send and receive encrypted messaged to the C&C. Since these functions are not yet active, researchers believe that it is not a finished “product” which is just as well. However, it does not contain vulnerabilities that could help decrypt the files free of charge.

Deleting Herbst Ransomware is not a difficult task if you know where to look for its executable. The location where it is dropped may vary, so you must take this into account. If you are unable to locate this infections executable, then use our free scanner called SpyHunter which can detect it with ease. You should not allow yourself to be bullied by cyber crooks, so we invite you to remove it instead of paying the ransom.

Plausible method for removing Herbst Ransomware

1. Simultaneously press Windows+E keys on your keyboard.
2. In the address box, enter %Temp%, and C:\Users\User\Downloads respectively (location may vary.)
3. Locate its randomly named executable and delete it.
4. Empty the Recycle Bin.