HAT Ransomware

Of all threats that exist in the world, ransomware might be the most intimidating for individual Windows users. HAT Ransomware is one example of this kind of malware, but it is not a unique example. Our research team has found that it belongs to a larger group of threats, and we discuss this further in the report. With this report, we aim to help those unfortunate Windows users who have their systems infected and personal files encrypted. Unfortunately, we cannot promise that we have a solution, but we have some information that might help you understand the situation better and also help you delete the threat quicker. Without a doubt, removing HAT Ransomware is important, and we are sure that we do not need to explain why. The guide at the bottom of the article shows how to eliminate the threat manually, but note that there are other options to consider. Continue reading, and do not hesitate to post questions below if you want to continue the discussion.

The family that HAT Ransomware belongs to is the Crysis/Dharma Ransomware family. Hundreds of threats belong to it, and some of them include CLUB Ransomware, BOMBO Ransomware, NCOV Ransomware, and WCH Ransomware. A free decryptor named Rakhni Decryptor was built for the victims of these threats by malware researchers, and we hope that you will be able to use it for full decryption also. That being said, if you have backups, you do not need to download anything. After you delete HAT Ransomware – or any of its clones – you can use your own backup copies of personal files to replace the corrupted ones. But we are jumping ahead here. Before you delete the infection and replace or restore files, you need to understand how this malware works. It all starts with successful entrance. You could face the launcher of the threat by opening misleading spam email attachments or executing unfamiliar installers. Once the threat is executed, it needs no additional permission to encrypt your personal files, and once that is done, the “.id-{ID}.[Zagrec@protonmail.com].HAT” extension should be appended to their names.

HAT Ransomware also creates two of its own files. One of them is called “Info.hta” and the other one is “FILES ENCRYPTED.txt.” The first one opens a window with a ransom note, and the second one is a normal text file. Both of them represent messages that urge you to contact the attackers via email. Whether you send a message to Zagrec@protonmail.com or bitrequest@tutanota.com, note that this move could expose you to cybercriminals in unwanted ways. You might expect that that would help you learn what cybercriminals want from you (which is to pay a ransom), but they could continue using your email address to expose you to new scams and malware launchers. So, beware. We do not recommend contacting the cybercriminals behind HAT Ransomware not only because it is dangerous but also because it is most likely to be a waste of time. If you are convinced that you will get your files back after paying the ransom, note that that is unlikely to happen. So, if you do not want to lose your money along with your files, ignore the ransom notes, and look into using a free decryptor or replacing files with backup copies.

You need to delete HAT Ransomware before you use the free decryptor or use backups to replace the corrupted files. Can you do it manually? Some victims should be able to handle the task. The instructions below show what steps need to be taken to have the threat deleted completely. Another option is to use the help of a professional. Our recommendation is that you employ anti-malware software. It will thoroughly inspect your system and delete all existing threats at a fraction of the cost that you would have to pay for professional removal services. On top of that, anti-malware software is what you need if you want to have your operating system secured against other malicious threats in the future. Note that as long as your system remains unguarded, it will always be targeted by cybercriminals and malware. In fact, you should secure your system even if you decide to remove HAT Ransomware manually using this guide!

HAT Ransomware Removal

1. Delete the file named FILES ENCRYPTED.txt (check the Desktop).
2. Open File Explorer by tapping Windows+E keys together.
3. Enter the following lines into the field at the top one by one and Delete malicious files Info.hta and {random name}.exe if you can find and identify them:
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
4. Open Run by tapping Windows+R keys together.
5. Enter regedit into the dialog box to launch the Registry Editor.
6. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
7. Delete all values associated with the malicious Info.hta and {random name}.exe files (there should be three).
8. Once you Empty Recycle Bin, perform a thorough system scan using a malware scanner.