Hairysquid Ransomware
The ransomware known as Hairysquid operates by encrypting files and adding the '.Hairysquid' extension to the end of the filenames of encrypted files. In addition to encrypting files, the malware also creates a ransom note that is saved on the breached devices as a file named 'READ_ME_DECRYPTION_HAIRYSQUID.txt.' Hairysquid is a new variant of the Mimic ransomware.
Table of Contents
Hairysquid Ransomware Disables Important Computer Functions
Hairysquid Ransomware is capable of making significant changes to a computer's system. One of the main ways it does this is by altering the Windows GroupPolicy, which is responsible for setting the rules and restrictions that govern a computer's behavior. Specifically, Hairysquid deactivates the protection offered by Windows Defender, a security feature that is crucial for the ransomware to function effectively. This means that when there is no anti-malware program installed on the computer, Windows Defender is typically the first line of defense against malware, and by disabling it, Hairysquid gains a foothold on the system.
Additionally, Hairysquid severs all active remote connections, resulting in the loss of control for connected users. This means that anyone who was remotely connected to the affected computer would no longer have access to it. Hairysquid also terminates and deactivates the TaskManager, a built-in Windows utility that allows users to view and manage the programs and processes running on their computer. The ransomware also modifies the registry key, which is responsible for controlling the behavior of various programs and services, to entirely prevent TaskManager from being activated.
Furthermore, Hairysquid prevents the sign-out, restart, and shutdown functionalities on the breached devices. This means that users cannot log out of their accounts, restart or shut down their computers, making it more difficult to stop the ransomware's activities. All of these modifications make Hairysquid a particularly insidious threat that can be challenging to remove once it has taken hold of a system.
Attackers Behind Hairysquid Ransomware Leave a Lenghty Ransom Note
When a computer is infected with the Hairysquid ransomware, a ransom note is left behind to inform the victim of the situation. The ransom note states that all files on the infected computer have been encrypted, which means that they are no longer accessible to the victim without the decryption key. The note then informs victims that they have to pay the cybercriminals for the decryption of their files. In addition, victims are given the opportunity to test if the attackers can decrypt their files before paying.
To ensure that the decryption process will work, the ransom note instructs victims to send the specific ID assigned to them by the malware alongside up to three files for test decryption. This process allows the attackers to demonstrate that they have the capability to decrypt the files and can be trusted to deliver the promised decryption key.
The ransom note provides multiple contact options, including TOX messenger, ICQ messenger, Skype, and email. This variety of contact options allows the attackers to communicate with the victim in a way that is convenient for them.
The ransom note also informs victims that after the test decryption, they will receive a Bitcoin cryptowallet address to which the ransom should be transferred. Bitcoin is a cryptocurrency that is commonly used in ransomware attacks because it is difficult to trace. Once payment is made, the threat actors will send the decryption program and instructions to the victim, allowing them to regain access to their encrypted files. However, there is no guarantee that the attackers will follow through on their promises and will actually assist victims in restoring the locked data after already extorting them for money.
The full text of Hairysquid Ransomware's ransom note is:
The ransomware known as Hairysquid operates by encrypting files and adding the '.Hairysquid' extension to the end of the filenames of encrypted files. In addition to encrypting files, the malware also creates a ransom note that is saved on the breached devices as a file named 'READ_ME_DECRYPTION_HAIRYSQUID.txt.' Hairysquid is a new variant of the Mimic Rnsomware.
The Hairysquid Ransomware Disables Essential Computer Functions
Hairysquid Ransomware is capable of making significant changes to a computer's system. One of the main ways it does this is by altering the Windows GroupPolicy, which is responsible for setting the rules and restrictions that govern a computer's behavior. Specifically, Hairysquid deactivates the protection offered by Windows Defender, a security feature that is crucial for the ransomware to function effectively. This means that when there is no anti-malware program installed on the computer, Windows Defender is typically the first line of defense against malware, and by disabling it, Hairysquid gains a foothold on the system.
Additionally, Hairysquid severs all active remote connections, resulting in the loss of control for connected users. This means that anyone who was remotely connected to the affected computer would no longer have access to it. Hairysquid also terminates and deactivates the TaskManager, a built-in Windows utility that allows users to view and manage the programs and processes running on their computer. The ransomware also modifies the registry key, which is responsible for controlling the behavior of various programs and services, to entirely prevent TaskManager from being activated.
Furthermore, Hairysquid prevents the sign-out, restart, and shutdown functionalities on the breached devices. This means that users cannot log out of their accounts, restart or shut down their computers, making it more difficult to stop the ransomware's activities. All of these modifications make Hairysquid a particularly insidious threat that can be challenging to remove once it has taken hold of a system.
The Attackers Behind the Hairysquid Ransomware Leave a Lenghty Ransom Note
When a computer is infected with the Hairysquid ransomware, a ransom note is left behind to inform the victim of the situation. The ransom note states that all files on the infected computer have been encrypted, which means that they are no longer accessible to the victim without the decryption key. The note then informs victims that they have to pay the cybercriminals for the decryption of their files. In addition, victims are given the opportunity to test if the attackers can decrypt their files before paying.
To ensure that the decryption process will work, the ransom note instructs victims to send the specific ID assigned to them by the malware alongside up to three files for test decryption. This process allows the attackers to demonstrate that they have the capability to decrypt the files and can be trusted to deliver the promised decryption key.
The ransom note provides multiple contact options, including TOX messenger, ICQ messenger, Skype, and email. This variety of contact options allows the attackers to communicate with the victim in a way that is convenient for them.
The ransom note also informs victims that after the test decryption, they will receive a Bitcoin cryptowallet address to which the ransom should be transferred. Bitcoin is a cryptocurrency that is commonly used in ransomware attacks because it is difficult to trace. Once payment is made, the threat actors will send the decryption program and instructions to the victim, allowing them to regain access to their encrypted files. However, there is no guarantee that the attackers will follow through on their promises and will actually assist victims in restoring the locked data after already extorting them for money.
The full text of Hairysquid Ransomware's ransom note is:
'Hi!
All your files have been encrypted with Our virus.
Your unique ID: -You can buy fully decryption of your files
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.To do this:
1) Send your unique id - and max 3 files for test decryption
OUR CONTACTS
1.1)TOX messenger (fast and anonimous)
hxxps://tox.chat/download.html
Install qtox
press sing up
create your own name
Press plus
Put there my tox ID
95CC6600931403C55E64134375095128F18EDA09B4A74B9F1906C1A4124FE82E4428D42A6C65
And add me/write message
1.2)ICQ Messenger
ICQ live chat which works 24/7 - @Hairysquid
Install ICQ software on your PC here hxxps://icq.com/windows/ or on your smartphone search for "ICQ" in Appstore / Google market
Write to our ICQ @Hairysquid hxxps://icq.im/Hairysquid
1.3)Skype
Hairysquid Decryption
1.4)Mail (write only in critical situations bcs your email may not be delivered or get in spam)Hairysquid@onionmail.org
In subject line please write your decryption ID: -
After decryption, we will send you the decrypted files and a unique bitcoin wallet for payment.
After payment ransom for Bitcoin, we will send you a decryption program and instructions. If we can decrypt your files, we have no reason to deceive you after payment.FAQ:
Can I get a discount?
No. The ransom amount is calculated based on the number of encrypted office files and discounts are not provided. All such messages will be automatically ignored. If you really only want some of the files, zip them and upload them somewhere. We will decode them for free as proof.
What is Bitcoin?
read bitcoin.org
Where to buy bitcoins?
hxxps://www.alfa.cash/buy-crypto-with-credit-card (fastest way)
buy.coingate.com
hxxps://bitcoin.org/en/buy
hxxps://buy.moonpay.io
binance.com
or use google.com to find information where to buy it
Where is the guarantee that I will receive my files back?
The very fact that we can decrypt your random files is a guarantee. It makes no sense for us to deceive you.
How quickly will I receive the key and decryption program after payment?
As a rule, during 15 min
How does the decryption program work?
It's simple. You need to run our software. The program will automatically decrypt all encrypted files on your HDD'
