Click on screenshot to zoom
Danger level 7
Type: Adware
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

BlackHat Ransomware

If you have recently found that your computer is affected by a piece of malware that displays a threatening window the heading of which reads BlackHat, that means you have fallen victim to the BlackHat Ransomware. The infection provides you with misleading information that your files, including pictures, databases and other valuable information are encrypted, and you are expected to pay a ransom to regain access to your data. In reality, the infection encrypts only the test folder found on the desktop, which means that your file remains intact, and you do not need to pay any release fee. It is not advisable to pay the attackers even if they succeed in compromising your files, because the attackers are very likely to ignore your need to regain your access to the data. Your goal now should be removing the BlackHat ransomware from your computer. Do not delay the removal so that you can take preventative measures of new attacks, which may take place any time.

Our researchers have found that the BlackHat ransomware is very similar, almost identical to the ransomware known as MoWare H.F.D, which is build using the open source package Hidden-Tear. This open-source ransomware kit was created as a means for education, but cyber crooks soon took the advantage of this platform by launching a variety of ransomware campaigns. Even the MoWare H.F.D was found to be shared by the author with so-called hacker Mohammed Raad, who was interested in editing the code of the threat.

Even though the BlackHat ransomware is visually similar to MoWare H.F.D and, for example, CryptoGod, its code is written using .NET. Moreover, the infection used the XOR encryption method.

You are probably satisfied that your personal information has not been tampered with by the infection. It is so because the BlackHat ransomware is still in its developmental stage. Even though it is programmed to add the extension .H_F_D_locked to the files encrypted, it cannot connect to its server, from which it would receive commands and send data to. The infection also fails to encrypt hundreds of files, including file types such as mp3, docx, doc, jpg, dmp, and many others.

Failures aside, the BlackHat rasomware successfully makes a copy of itself whenever the user launches its malicious files. Its copy is created in one of the directories created in the AppData folder. The path to the location of the copy is %APPDATA%\MoWare_H\MoWare H.F.D\\MoWare H.F.D.exe. In addition, the infection has its point of execution created in the Registry. That means that the threat loads its ransom warning every time the system starts up.

As for the ransom warning, the attackers behind BlackHat expects you to pay a ransom of 200 USD converted to Bitcoin, which is a digital currency that is not owned or controlled by any central bank. The Bitcoin currency enables anonymity, which is, without a doubt, highly appreciated by cyber attackers. The ransom warning of the BlackHat ransomware contains the digital wallet address to which you are supposed to transfer the sum requested, but we strongly advice against doing so. After money submitting, the attackers request you to reach them at Instead of wasting your money, you should remove the BlackHat ransomware and take measures to prevent such incidents in the future.

In order to minimize the risk of getting the PC infected it is vital to use anti-spyware software. Additionally, it is important to avoid opening questionable emails and email attachments, visiting freeware sharing websites, and downloading unknown programs. There are hundreds and thousands of computer infections targeted at unprotected Internet-connected devices, and your PC should not be one among the many.

If you want to have the BlackHat ransomware removed, choose a reputable malware and spyware removal tool so that you can be protected from many other threats. It is possible to remove the BlackHat threat manually, which you can do using your removal guide, but you should bear in mind that after completing the removal, it is worth scanning the system to make sure that all the malicious components of the infection are terminated for good.

How to remove the BlackHat ransomware

  1. Close the window of the infection by clicking the X button.
  2. Press Win+R and type in regedit. Click OK to access the Registry.
  3. Use the pathname given to access and delete the point of execution: HKCU\Software\Microsoft\Windows\CurrentVersion\Run::Blackhat.
  4. Access the AppData directory and follow the path %APPDATA%\MoWare_H\MoWare H.F.D\\MoWare H.F.D.exe so that you can delete the malicious file.
Download Spyware Removal Tool to Remove* BlackHat Ransomware
  • Quick & tested solution for BlackHat Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.