Heets Ransomware Description
The Heets Ransomware is an encryption ransomware Trojan that was created using the Dharma builder kit, a threat that has been active since 2016. The Heets Ransomware's family of ransomware has many variants dating far back, with the Heets Ransomware being just the newest in a long line of ransomware Trojans. The Heets Ransomware, like most threats of this type, is programmed to take the victims' files hostage and then demand a ransom payment from the victim in exchange for returning access to the infected computer. The Heets Ransomware was first observed on February 15, 2019, and targets computers with the Windows operating system.
Symptoms of a Heets Ransomware Attack
Typically, the Heets Ransomware is delivered through corrupted spam email attachments, generally in the form of Microsoft Word files with embedded macro scripts that download and install the Heets Ransomware onto the victim's computer. The Heets Ransomware uses a strong encryption algorithm to encrypt the victim's files and take them hostage. Each encrypted file is renamed with the addition of the following file extension to each file's original name:
.id-[8 random chars].[email@example.com].heets
The Heets Ransomware targets the user-generated files in its attack, which may include a wide variety of media files, databases, and numerous other data types. The files targeted by the Heets Ransomware in these attacks include:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The Heets Ransomware drops text and HTA files on the victim's computer after the encryption of the files is complete. One of the text files is named 'FILES ENCRYPTED.txt,' the other is named 'firstname.lastname@example.org,' and both display the following message on the infected computer:
'all your data has been locked us
You want to return?
write email email@example.com or firstname.lastname@example.org'
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
Write this ID in the title of your message [8 random chars]
In case of no answer in 24 hours write us to theese e-mails:firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.'
Dealing with the Heets Ransomware
Malware researchers always advise computer users to ignore the instructions in the Heets Ransomware ransom note. The best protection against threats like the Heets Ransomware is to have the ability to restore any data compromised by the Heets Ransomware attack, which only can be accomplished by a backup of the compromised files.