Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hades Locker Help & Support Topic


  • Please log in to reply
16 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:58 PM

Posted 05 October 2016 - 04:30 PM

The Hades Locker is a new variant of the WildFire Locker ransomware. Unfortunately, at this time the encryption used by Hades Locker is secure so there is no way to recover a victim's files for free.

This ransomware will encrypt files using AES encryption and then append the .~HL[first_5_chars_of_password] extension to encrypted files. It will also create ransom notes named README_RECOVER_FILES_[victim_id].html, README_RECOVER_FILES_[victim_id].png, README_RECOVER_FILES_[victim_id].txt.
 

payment-site.png


More technical info about this ransom can be found in this article: WildFire rises from the grave as the rebranded Hades Locker



BC AdBot (Login to Remove)

 


m

#2 herpoelaertw

herpoelaertw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 13 October 2016 - 01:12 PM

Hello,

 

My pc got infected by this ransomware. I have no backup of the files.

Will it be possible to recover the files?

 

Thanks,

Wesley



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 13 October 2016 - 01:29 PM

Hello,

 

My pc got infected by this ransomware. I have no backup of the files.

Will it be possible to recover the files?

 

Thanks,

Wesley

 

Not unless the authorities seize their new servers. Always a slim chance, some Wildfire victims got lucky with that before.

 

You can always try file recovery software such as Recuva and ShadowExplorer, some victims get lucky with those.


Edited by Demonslay335, 13 October 2016 - 01:29 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 PM

Posted 13 October 2016 - 02:38 PM

The only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 herpoelaertw

herpoelaertw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 14 October 2016 - 02:19 AM

Thanks for the info!

The ransomware deletes file shadow volume copies. So ShadowExplorer won't help.

I'll give Recuva a try and will take an image of the drive.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 PM

Posted 14 October 2016 - 06:04 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 14 October 2016 - 08:41 AM

Almost every ransomware tries to kill shadow copies, but they aren't always successful. I literally saved someone from Locky using ShadowExplorer on a system the other day; even the "almighty Locky" failed to delete shadow copies on a basic residential desktop (with no antivirus, so I have no idea how it failed). It's a 1 in a million shot, but always worth the 2 minutes it takes to run the program and try.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 siriusalpha

siriusalpha

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 27 October 2016 - 03:47 AM

Hi,
 
i was very stupid and got infected by opening mail link doc. with Hades Locker
it killed shadow copies, but did not finish encrypting all my disks, 2 of them are still not encrypted and i removed them physically.
now i foud this page with instructiosn and a removal tool. 
can this be trusted?
i do not want to pay (1BC = 500 euro) and if not paid within 7 days it doubles....
Maybe i can recover some files with recuva and some  backup

#9 red_devil028

red_devil028

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 27 October 2016 - 07:40 AM

Currently it seems this one is spread via mail of a shipment note where you click on a  false tracking link,

 

I am trying to currently get at least 2 people sending me te mail, the notes, and one of the files as the infected computers are currently not within my reach,


Current systems: CM STACKER Custom PC / MSI CX 620 / ACER Z5751 Touchscreen

Current role: PC Technician @ Computrac Belgium - Specialisation: Hardware.

#10 siriusalpha

siriusalpha

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 27 October 2016 - 02:39 PM

What can i do to make my sys safe again so i can try to backup from intact disks?

 

i have done a system restore to earlier point, i ran MBAM in safe mode, but i seems it didnt remove any Hades files 

How do remove all Hades related files?



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 PM

Posted 27 October 2016 - 03:06 PM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes Anti-Malware, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

When you discover that your computer is infected with ransomware you should immediately create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future. In some cases, there may be decryption tools available but there is no guarantee they will work properly since the malware writers keep releasing new variants in order to defeat the efforts of security researchers.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Annelies87

Annelies87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 31 October 2016 - 06:02 AM

Currently it seems this one is spread via mail of a shipment note where you click on a  false tracking link,

 

I am trying to currently get at least 2 people sending me te mail, the notes, and one of the files as the infected computers are currently not within my reach,

 

I have this one on my computer. if you want, I can send you a file and the note. 

how do I do this? 



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 PM

Posted 31 October 2016 - 06:09 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Annelies87

Annelies87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:58 AM

Posted 31 October 2016 - 06:18 AM

Done.

 

I only have the infected files and the ransom note. I don't have the installer or the email anymore, my IT guy has already cleaned my computer, but was unable to recover the infected files.



#15 red_devil028

red_devil028

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 02 November 2016 - 08:43 AM

 

Currently it seems this one is spread via mail of a shipment note where you click on a  false tracking link,

 

I am trying to currently get at least 2 people sending me te mail, the notes, and one of the files as the infected computers are currently not within my reach,

 

I have this one on my computer. if you want, I can send you a file and the note. 

how do I do this? 

 

Woops,

 

Appareantly people are misunderstanding my line there, i was actually meaning i was trying to get samples to send them to BleepingComputer.com for analysis...

Please do this at the site Quietman7 provided would be nice :D

 

My apologies for the oops


Current systems: CM STACKER Custom PC / MSI CX 620 / ACER Z5751 Touchscreen

Current role: PC Technician @ Computrac Belgium - Specialisation: Hardware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users