Hades Locker Ransomware

Hades Locker Ransomware, according to our researchers, is a new version of the infamous WildFire Ransomware. This infection withered away just a month ago, and that happened because the control over the C&C servers linked to this ransomware were seized, allowing the release of decryption keys. Unfortunately, the new version of this ransomware is much more complex, and it cannot be taken down just as easily. In fact, if this threat attacks, it is unlikely that you will have many options. After thoroughly researching this infection in our internal lab, we can provide you with important information regarding the encryption of your personal files, as well as the removal of Hades Locker Ransomware. Even if you think that you know everything there is to know, we suggest reading this report. Maybe you will learn something new about the threat and how to delete it more efficiently.

The distribution of Hades Locker Ransomware is currently a mystery, but if we learn more about it, we will immediately update this report. It is very likely that its malicious launcher will hide in a spam email attachment or corrupted software bundles, so be careful. Once the launcher is executed, it connects to ip-api.com/xml to retrieve your location and your IP address. This information is then sent to a C&C server along with your ID, tracking ID, computer name, and user name. The server responds with a password that is used for the encryption of your files. Speaking of encryption, the devious Hades Locker Ransomware uses AES (Advanced Encryption Standard) algorithm. Simultaneously, the threat also modifies the Windows Registry by adding values to HKCU\Software\Wow6232Node. One of these values is called “hwid” and it represents your ID. The other one is called “status” and it determines the encryption process. After these values are created, the ransomware starts encrypting your personal files.

According to our research, Hades Locker Ransomware skips all files whose paths contain “windows,” “program files,” “program files (x86),” “system volume information,” and “recycle.bin” strings. Of course, the ransomware does not affect system files to avoid jeopardizing its own processes. Unfortunately, all of your most personal files, including documents and private photos, will be encrypted. These files will receive the “.HLN3WQG” extension, which will make it easier for you to spot them. It was found that the last five characters in the extension actually represent the first five characters of the encryption password. Once the encryption is complete, the ransomware creates three files that represent the ransomware note, including README_RECOVER_FILES_[your ID].html, README_RECOVER_FILES_[your ID].txt, and README_RECOVER_FILES_[your ID].png. The latter file can replace your Desktop wallpaper to make it impossible for you to overlook the demands. Do not rush to remove these files.

As you know, if you have reviewed the demands associated with Hades Locker Ransomware, you are expected to pay a ransom in return of a decryption key that is meant to unlock your files. All ransom notes display links that you need to visit for additional instructions, and you might have to download the Tor Browser to access them. The information provided to you via these links indicates that you need to pay a ransom of 1 BTC, which converts to around 613 USD or 548 EUR. Note that this virtual currency is variable and the conversion rates might change. Unfortunately, paying the ransom might be your only chance of recovering your files, unless they are backed up. As mentioned in the ransom note, you have two options: To format the hard disk and lose all files or to pay the ransom. Obviously, you do not want to lose your files, but are you sure you want to trust cyber criminals? What if they take the ransom fee and fail to provide you with a decryptor? You need to evaluate this risk beforehand.

Hades Locker Ransomware removes Shadow Volume Copies using the “WMIC.exe shadowcopy delete /nointeractive” command, which prevents users from restoring their files. Unfortunately, it is impossible to recover the files without the decryption key, and cyber criminals demand a huge fee for it. Whatever kind of decision you make – to pay the ransom and take the risk or lose the files – you will need to delete Hades Locker Ransomware from your operating system. The guide below shows how to eliminate this threat manually, but this task is for users who are experienced and who know how to identify malicious files. Less experienced users should employ automated anti-malware software. Considering that fake anti-malware tools exist, you just have to make sure that you install reliable and legitimate software.

Remove Hades Locker Ransomware

1. Tap Win+E keys to access Explorer.
2. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ (%ALLUSERSPROFILE%\Start Menu\Programs\Startup\ for Windows XP users) into the address bar.
3. Right-click and Delete the malicious [random name].exe file.
4. Delete the main launcher file [random name].exe. It might be located in one of these directories:
   • %APPDATA%\wow6232node\
   • %TEMP%\RarSFX0\
5. Tap Win+R to launch RUN.
6. Type regedit.exe into the dialog box to launch Registry Editor.
7. Move to HKEY_CURRENT_USER\Software\WOW6232Node.
8. Right-click and Delete the values named hwid and status.
9. Delete the ransom notes (they could be located in every folder and subfolder):
   • README_RECOVER_FILES_[your ID].html
   • README_RECOVER_FILES_[your ID].txt
   • README_RECOVER_FILES_[your ID].png