HiddenBeer Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 4 |
First Seen: | October 24, 2018 |
Last Seen: | July 23, 2019 |
OS(es) Affected: | Windows |
The HiddenBeer Ransomware is an encryption ransomware Trojan first observed on October 23, 2018. The HiddenBeer Ransomware's name is a pun on HiddenTear, an open source ransomware Trojan that has been the basis for countless ransomware Trojan attacks since it was first released in 2015. The HiddenBeer Ransomware itself is based on HiddenTear and carries out a common version of this attack. The HiddenBeer Ransomware, like most encryption ransomware Trojans, is designed to take the victims' files hostage and then demand a ransom payment from the victim in exchange for the compromised files.
Table of Contents
How the HiddenBeer Ransomware Trojan Attacks a Computer
The HiddenBeer Ransomware will typically be delivered to the victims' computers through corrupted email attachments, often in the form of a PDF or Microsoft Word file with embedded macros. Once the HiddenBeer Ransomware is installed onto the victim's computer, it will use the AES or RSA encryptions to make the victim's files inaccessible. The HiddenBeer Ransomware will make it easy to know which files it has encrypted since it marks this data with the file extension '.beer,' by adding it to each file's name. The HiddenBeer Ransomware's attack targets the user-generated files, which may include files with the following file extensions:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The HiddenBeer Ransomware’s Ransom Note
The HiddenBeer Ransomware displays a program window named 'HIDDENBEER INFECTION!' on the infected computer. The message contained in the HiddenBeer Ransomware ransom note reads:
'!HIDDENBEER!
Your files have been encrypted.
Why have they been encrypted?
To help ensure your security.
To get them decrypted by our specialists,
just send $100 worth of Bitcoin(BTC), to: 33Lf7BrDXwNBMM4ZVg5dMQg1Bvuwzd1VQm.
Afterwards send a Email to 'tr0ning@protonmail.com” with your computer name and transaction data.
Computer name: HAPUBWS-PC
Once you have your decryption key, Use it in the file decrypter.
If it isn't open, goto your Desktop and run '@FILE-DECRYPTER.exe”
!HIDDENBEER!'
The HiddenBeer Ransomware also will replace the infected computer's desktop image with a version of the ransom note and drop a text file named '@FILES-HELP-[PC name].txt,' which also contains a version of the HiddenBeer Ransomware ransom note. There's not a valid reason to follow the HiddenBeer Ransomware's instructions or paying any ransom because the odds are that the users who do it end up without their money and with their data still encrypted.
Dealing with the the HiddenBeer Ransomware Infection
Unfortunately, the HiddenBeer Ransomware and other HiddenTear variants use an encryption method that is exceptionally strong, and computer users will find it impossible to restore the data encrypted by the HiddenBeer Ransomware. Because of this, prevention is essential when dealing with these threats. The best protection against the HiddenBeer Ransomware and similar threats is to have backup copies of all your files. Recovery will then involve restoring the corrupted files from the backup copies.