H@RM@ Ransomware

Protecting your computer from file-encryption Trojans is strongly recommended because of a large number of malware of this type circulating online. These threats need just a few minutes to cause potentially irreversible damage to your files, and even removing them will not help you recover fully. The H@RM@ Ransomware, in particular, is a newly spotted file-locker that seems to use a flawless file-encryption routine. It is not compatible with free decryptors, and its victims may only have one data recovery option ahead of them – restoring the lost files from a backup.

When the H@RM@ Ransomware encrypts a file, it adds the extension '.<VICTIM ID>.[recoverydata98@protonmail.com].H@RM@.' Victims of the H@RM@ Ransomware are likely to see this extension added to the end of their documents, images, videos, archives, databases, and all other file types that H@RM@ Ransomware's creators considered to be valuable. Of course, the attack of the H@RM@ Ransomware does not end here. After encrypting accessible data, the file-locker makes sure to wipe out the Shadow Volume Copies and backups, as well as drop a ransom message for the victim. The file is called 'ReadMe.txt,' and it contains detailed instructions on how to purchase Bitcoin, contact the attackers, and obtain a decryptor.

H@RM@ Ransomware's creators use the emails recoverydata98@protonmail.com and recoverydata99@protonmail.com. They offer to decrypt up to five files for free, but they add that the victim must submit non-valuable files – they will not provide free decryption for documents, spreadsheets, databases, etc.

There is no guarantee that H@RM@ Ransomware's authors will stay true to their word. Even if you send them money, you may not receive a response at all. It is not smart to try and obtain anything from cybercriminals, especially when they ask you to send payment first. Instead of risking being tricked, you should run an anti-virus scanner to terminate H@RM@ Ransomware's components and then try to restore it from a backup or use alternative data recovery options.

The virus creates and displays a ransom note message to users after completing the encryption.

ALL YOUR VALUABLE DATA WAS ENCRYPTED!
All your files were encrypted with strong crypto algorithm AES-256 + RSA-2048. Please be sure that your files are not broken and you can restore them today.
If you really want to restore your files please write us to the e-mails: recoverydata99@protonmail.com recoverydata98@protonmail.com
In subject line write your ID: A4CA7C52
Important! Please send your message to all of our 3 e-mail addresses. This is really important because of delivery problems of some mail services!
Important! If you haven’t received a response from us within 24 hours, please try to use a different email service (Gmail, Yahoo, AOL, etc).
Important! Please check your SPAM folder each time you wait for our response! If you find our email in the SPAM folder please move it to your Inbox. Important! We are always in touch and ready to help you as soon as possible!
Attach up to 3 small encrypted files for free test decryption. Please note that the files you send us should not contain any valuable information. We will send you test decrypted files in our response for your confidence.
Of course you will receive all the necessary instructions how to decrypt your files!
Important!
Please note that we are professionals and just doing our job!
Please do not waste the time and do not try to deceive us – it will result only price increase!
We are always opened for dialog and ready to help you.

Should Victims Pay the Ransom?

The note is written to intimidate victims into paying the ransom. One of the coercion tactics is putting a limited time on payment. Victims also won’t know how much they have to pay until they establish contact. In general, ransomware payments can be up to $1,000, if not more. Another intimidating thing about the ransom demand is that it appears to be the only way to get your files back. Unfortunately, that is true.

While it’s true that only the attackers have access to the decryption tools you need, you should never pay the ransom. Almost everything else the attackers say is a complete lie. There is no guarantee that they will give you the decryption tools you need. There isn’t even a guarantee that the tools they provide will work as intended. You could be setting yourself up for further infections. Experts suggest that you never respond to attackers and instead focus on restoring your files yourself.

How to Restore Files Affected by H@RM@ Ransomware

Unfortunately, the attackers aren’t lying when they say you can’t decrypt the files by yourself. With that said, you do have options. The first step is to remove the virus from your computer. Run antivirus or antimalware programs to do this. Removing the virus won’t undo the damage, but it does prevent future infections.

Once your computer is safe, it’s time to get to work. Use an external backup, such as data stored on the cloud or an external device, to get your files back. If you don’t have an external backup, you could still possibly save your files. File recovery software can help here. However, there isn’t a guarantee that the software will work because H@RM@ deletes the Shadow Volume Copies. These programs rely on to work. These are the internal backups stored on your computer.