HappyLocker Ransomware

The HappyLocker Ransomware is a ransomware Trojan that belongs to the Hidden Tear family of encryption ransomware. Hidden Tear was first observed in August of 2015 when a Turkish researcher released its code publicly on GitHub as an 'educational ransomware' project. This resulted in countless variants of threats that adapted the Hidden Tear to create highly effective ransomware attacks. The HappyLocker Ransomware is just one of countless Hidden Tear variants that have appeared in the last year. The HappyLocker Ransomware, like most ransomware Trojans, takes over the victim's computer, encrypting the victim's files and then demanding that the victim pays a ransom in exchange for the decryption key. The HappyLocker Ransomware is being distributed by using corrupted file attachments contained in spam email messages, often in PDF or DOCX files housing corrupted macro scripts that download the HappyLocker Ransomware onto the victim's computer. Email messages used to distribute the HappyLocker Ransomware may contain social engineering elements to trick computer users into opening the corrupted file. The HappyLocker Ransomware's corrupted code also may be distributed through a bogus BitCoin faucet, a reward system that pays computer users with BitCoin fragments.

Detailing the HappyLocker Ransomware Infection

The HappyLocker Ransomware infection is typical of most ransomware Trojans and identical to most other Hidden Tear variants. The HappyLocker Ransomware uses an AES-256 encryption algorithm to encrypt the victim's data, generating a private key that the con artists hold until the victims pay the ransom. This private key is necessary to recover the files that have been encrypted by the HappyLocker Ransomware. The HappyLocker Ransomware tends to target files that could have personal or professional value to victims, preferring Office documents, images, media files and databases. The HappyLocker Ransomware identifies files that have been encrypted with its encryption algorithm via the extension '.happy,' which is added to the end of each encrypted file. Victims of the HappyLocker Ransomware are asked to pay a ransom of 0.1 BitCoin to obtain the private key. The HappyLocker Ransomware delivers its ransom note in two ransom notes, one text file named 'READDDDDDD.txt' and one image file named 'READ.jpeg,' both of which are dropped onto the victim's Desktop. The text of these files reads as follows:

'IMPORTANT INFORMATION!!!!
All of your files are encrypted with HAPPY Ciphers
To Decrypt :
- Open This Page : http://ysasite(dot)com/happy
- Follow All Steps'

The HappyLocker Ransomware uses a payment website that is nearly identical to the one used by the Locky Ransomware. When victims visit this payment website, they will receive the following instructions:

'Happy Decryptor™
We present a special software - Happy Decryptor™ -
which allows to decrypt and return control to all your encrypted files
How to buy Happy Decryptor™?
1 You can make a payment with BitCoins, there are many methods to get them.
2 You should register BitCoin wallet:
Simplest online wallet or Some other methods of creating wallet
3 Purchasing Bitcoins, although it's not yet easy to buy bitcoins, it's getting simpler every day.
Here are our recommendations:
[links to popular Bitcoin services like localbitcoins.com and btcdirect.eu]
4 Send 0.1 BTC to Bitcoin address:
[34 random characters]
Note: Payment pending up to 30 mins or more for transaction confirmation, please be patient...
5 Refresh the page and download decryptor.
When Bitcoin transactions will receive one confirmation, you will be redirected to the page for downloading the decryptor.'

Do not Pay the HappyLocker Ransomware Ransom

The HappyLocker Ransomware ransom, approximately $70 USD at the current BitCoin exchange rate, may seem quite lower than many other ransomware Trojan ransoms. However, this is simply a ploy to increase the likelihood that computer users will pay it. In practice, it is equally likely that the people responsible for the HappyLocker Ransomware attack will demand the payment of additional ransom money or simply ignore victims after they have paid, without providing the private key. Instead, computer users should restore their files from a backup.