HadesLocker Ransomware

The HadesLocker Ransomware is a threat that mimics a well-known ransomware Trojan: the infamous Locky. The HadesLocker Ransomware was first uncovered on October 4th, 2016. The HadesLocker Ransomware mimics the ransom note used by Locky. The HadesLocker Ransomware is a new version of the Wildfire Locker, and another previously known ransomware Trojan named Zyklon, both of which appeared earlier in 2016, in association with a high- profile botnet attack and spam email campaign. The HadesLocker Ransomware seems to be designed to target Business Services and Manufacturing sectors of the economy, while previous versions of this threat were associated with a threat campaign that targeted government agencies.

The HadesLocker Ransomware is Closely Aligned with a Spam Email Campaign

PC security analysts were first made aware of the HadesLocker Ransomware through its associated corrupted email campaign. The corrupted emails linked to the HadesLocker Ransomware contained URLs linking to a corrupted Microsoft Word document named 'levering-1478529.doc' – note that 'levering' is the Dutch word for 'delivery.' This approach of using embedded links is different from other campaigns associated with threats that use attached files rather than links. Hundreds of email messages (a small-scale campaign when compared to other spam email campaigns) were sent to businesses in the Business Services and Manufacturing sector throughout Western Europe.

The HadesLocker Ransomware Attack Hits Hard Business Services and Manufacturing Sectors of the Economy

The HadesLocker Ransomware drops image, text, and HTML files to alert the victim of the attack. These files are dropped throughout the victim's computer and may be named using one of the following names:

README_RECOVER_FILES_[16 digits].txt
README_RECOVER_FILES_[16 digits].html
README_RECOVER_FILES_[16 digits].png

The files encrypted by the HadesLocker Ransomware may be identified by the file extensions '.~HL233XP,' '.~HLJPK1L' or '.~HL0XHSF.' The string '~HL' is always used in these file extensions, while the remaining five characters will vary from one variant of the HadesLocker Ransomware to the next. After encrypting the victim's files, the HadesLocker Ransomware delivers ransom notes that urge the victim to 'buy the decryption password belonging to your files.' The victim is asked to visit a Web page or a site on the Dark Web. The current rate is 1 BitCoin (about $600 USD at the current exchange rate) to receive the decryption utility necessary to recover the files affected by the HadesLocker Ransomware.

Some Final Thoughts Regarding the HadesLocker Ransomware

PC security analysts are starting to observe numerous variants of the HadesLocker Ransomware in the wild. It is probable that the HadesLocker Ransomware and its previous variants are closely associated with the threatening Kelihos botnet. This botnet was used to distribute the HadesLocker Ransomware's predecessors (Wildfire and Zyklon), as well as other threat campaigns that may be associated with the HadesLocker Ransomware, such as the Kill Cryptfile2 and JokeFromMars.

Although it seems to mimic earlier versions of the infamous Locky ransomware, it is notable that new ways of distribution and infection are being integrated into these kinds of attacks. The last year has seen a remarkable elevation in ransomware attacks due to the increased prevalence of RaaS (Ransomware as a Service) providers, which put these attacks in the hands of anyone that has the money to hire the con artists' services. Ransomware creators will also use recycled code frequently, and create their threats by bringing together numerous characteristics from different variants. Because of this, it can be difficult to determine where these threats originate exactly or which threat may have come first or later in the exact sequence of attacks. What is clear regarding the HadesLocker Ransomware is that this threat is an evolution of Wildfire and that its targets, in specific economic sectors in Western Europe, have been chosen carefully to maximize potential damages and revenue. PC security analysts urge computer users and businesses to take preemptive action to ensure that all computers are safe from possible ransomware attacks, mainly by establishing strong backup systems and patching and securing all software regularly.

SpyHunter Detects & Remove HadesLocker Ransomware