How to Remove Hades Locker Ransomware and Recover Files?

My computer seems to be infected by a ransomware named Hades Locker, which is detected by my antivirus program. However, my antivirus program couldn’t delete it. In fact, I prefer getting those files back that are encrypted by Hades Locker Ransomware to removing the Ransomware. But I am not sure it will give me the decryption keys after I have paid. Do you know about Hades Locker Ransomware? Please help me!

About Hades Locker Ransomware

Threat Name Hades Locker
Category Ransomware ; Malware
Threat Level 8bar
Similar Version WildFire Locker Ransomware
Activity ①Encrypt important data ②Ask for a ransom ③ Degrade PC performance ④ Lock your PC
Distribution Method Via spam emails, Trojans, unknown shared files and free software.
Removal Guide Read the post or download a detection & removal tool!

More Information about Hades Locker Ransomware

 

Hades Locker Ransomware is an updated variant of WildFire Locker Ransomware, which employs 256-bit AES encryption algorithm (Advance Encryption Standard) to encrypt important data stored on victims’ computers. Like WildFire, Hades Locker Ransomware also encrypt victims’ files and has a good concealing performance, which increase the difficulty of detection. Unlike other ransomware, Hades Locker Ransomware uses symmetric cryptography (encryption and decryption use the same key). And cyber hackers store the secret key in remote servers.

hades-extensionname

 

Similar to most ransomware infections, Hades Locker Ransomware also makes encryption to victims’ important files. Hades Locker Ransomware targets many files of various formats, as shown below.

.contact, .dbx, .doc, .docx, .jnt, .jpg, .mapimail, .msg, .oab, .ods, .pdf, .pps, .ppsm, .ppt, .pptm, .prf, .pst, .rar, .rtf, .txt, .wab, .xls, .xlsx, .xml, .zip, .1cd, .3ds, .3g2, .3gp, .7z, .7zip, .accdb, .aoi, .asf, .asp, .aspx, .asx, .avi, .bak, .cer, .cfg, .class, .config, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .kwm, .laccdb, .ldf, .lit, .m3u, .mbx, .md, .mdf, .mid, .mlb, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .php, .psd, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb, .3dm, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dot, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mdb, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .ps, .pspimage, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xlr, .xlsm, .xlt, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cdx, .cgm, .cr2, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .pfx, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv, .gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bank, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibank, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .moneywell, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .yuv

 

Hades Locker Ransomware will append the extension the “.~HL[5_random_characters] (first 5 characters of encryption password)” to the names of encrypted files. Three files (“README_RECOVER_FILES_[victim_id].html“, “README_RECOVER_FILES_[victim_id].png“, “README_RECOVER_FILES_[victim_id].txt“) are also created after Hades Locker Ransomware finish encrypting your files, as shown in the figures below .

 

remove-hades-locker

The texts in .png, .txt, and .html files:

!! IMPORTANT INFORMATION !!
All your documents, photos, databases and other important files have been encrypted! In order to decrypt your files you will have to buy the decryption password belonging to your files There are 2 options to solve this problem
1. Format your hard disk and loose all your files for ever!
2. Pay to buy your decryption key. With this decryption key you can decrypt your files and use them again like before. To buy the decryption password you will have to visit our website. Pick a website below
hxxp://pfmydcsjib.ru/
hxxp://jdybchotfn.ru/
If these websites dont work you can visit our website on the TOR network follow the steps below to visit our TOR website.
1. Download and install the TOR browser: hxxps://www.torproject.org/projects/torbrowser.html.en
2. After installation run the TOR browser and wait for initialization
3. Inside the TOR browser (just like a normal browser) navigate to n7457xrhg5kibr2c.onion/
HWID (personal identification ID): –
!! you have until 12 Oct 2016 to buy the decryption key or the price will double !!

 

These files are ransom-demand notes, which tell you that you need to pay for decryption password. You are asked to go to these websites it provides in the message and then complete the payment. If you can’t enter, you are advised to download and install the TOR browser and then enter the websites. After entering Hades locker website “Home” page, you are told that the payment of the unique decryption key is 1 Bitcoin. If you don’t make a payment before a limited date, the payment will increase to 2 Bitcoin. Do you fell afraid? Want to pay for it at once? But you should think carefully about different situation before you make a decision.

 

Should You Pay the Ransom?

  • The price of the ransom. Whether can you afford the payment or higher price if you don’t pay for it immediately? It is not suggested to afford the price that is out of what your budge. In fact, it is not a reasonable price.
  • The security of payment methods. The links provided by Hades Locker Ransomware maybe not safe because you need to use Tor browser (anonymous and private browser) to enter the website of Hades Locker Ransomware, which means the homepage is not a legitimate website. So, there are risks in clicking these links.
  • The feasibility of the payment. It is not sure that you can get important files back after paying the ransom. Instead, cyber criminals may get a taste for the behavior and continue to extort more money from novice computer users. Therefore, you are not recommended to pay for the decryption key.
Note: The first thing computer users is to remove the Hacker Locker Ransomware. If you don’t get rid of the ransomware immediately, it will continue to encrypt your files when running in the background. Meanwhile, confidential information will be in danger of stolen and leakage. So, you’d better remove Hades Locker Ransomware as soon as possible under the manual guidance. However, manual method is complicated and time-costing. If you are not good at using computer, you’d better use professional removal tools in the post to remove Hades Locker Ransomware.

 

hades-locker-ransomware-remove

image-saozhouHades Locker Ransomware Removal Guide

Manual Removal Guide

Step 1: Reboot the PC in Safe Mode

For Windows XP/Vista/7
For Windows 8
For Windows 10

Step 2: Stop Related Processes in Windows Task Manager

Step 3: Remove Hidden Files

Step 4: Clean up Registry Entries Related to Hades Locker Ransomware

Step 5: Restart Your Computer

Automatic Removal Guide (Recommended)

How to Recover Encrypted Files

Option 1: Use Windows Previous Versions feature

Option 2: Use System Restore


Manual Removal Guide

Step 1: Reboot the PC in Safe Mode

Make sure all external devices including any disks, USB or flash drives are out of your computer and then restart the computer. There are methods to enter Safe Mode for Windows XP/vista/7, Windows 8 and Windows 10.

For Windows XP/Vista/7

Press and hold the F8 key before Windows logo appears.

keyboard-f8

The Windows Advanced Boot Options Menu will pop up, you need to use the arrow keys to highlight Safe Mode option (Safe Mode, Safe Mode with Networking and Safe Mode with Command Prompt) you want, and then hit Enter key.

 

win7-safe-mode

For Windows 8

Move the mouse to the right side of the screen, click Settings button and select Power button.

 

win8-power

Press Shift key all time and then click Restart from Power menu.

shift-restart-1

Now you are in the Windows 8 boot menu, please click TroubleShot -> Advanced options -> Windows Startup Settings.

win8-safemode3step

 

Click Restart button in Startup Settings.

win8-startup-settings-restart

Press F4, F5 or F6 to enter Safe Mode.

For Windows 10

While holding down the Shift key, click Restart in Start menu (Click Start button, select Power and click Restart).

shift-restart-win10

! The rest of the steps are the same as steps of Windows 8.

Now you are in the Windows 10 boot menu, please click TroubleShot ->Advanced options -> Windows Startup Settings.

win8-safemode3step

 

Click Restart button in Startup Settings.

win8-startup-settings-restart

You compute will restart, and then Startup Settings menu displays. Now Press F4, F5 or F6 to enter Safe Mode.


Step 2: Stop Related Processes in Windows Task Manager

Hades Locker Ransomware will run in the background and continue to encrypt more files, so you’d better stop the process.

Right click on the Taskbar and select Start Task Manager/ Task Manager.

task-manager-windows-8

 

Press Processes tab, select suspicious processes related to Hades Locker Ransomware and click End Task/ End Process button.

windows-8-processes-in

 

※You can also navigate to Startup tab and disable suspicious items(Windows 8/10

 

 

Note: Can’t find traces of Hades Locker Ransomware in Task Manager? Indeed, as previous mentioned, Hades Locker Ransomware is good at hiding itself so that it can escape from eyes of human, which makes manual removal difficult. Hence, you are recommended to use a powerful detection & removal tool to remove Hades Locker Ransomware.

 

hades-locker-ransomware-remove

Step 3: Remove Hidden Files

  • Open File Explorer (My Computer icon)
  • Go to Folder Options

→Click Tools in the menu bar, and then select Folder Options… (for Windows XP)

xp-mycomputer

 

→Click Organize in the upper bar and select Folder and serach options (for Windows 7).

win7-folder-and-options

 

→Click View in the upper bar and select Change Folder and search option in drop-down menu of Option (for Windows 8/10)

 

change-folder

  • In Folder Options window, press View tab and then opt for Show hidden files and folders/Show hidden files, folders, and drives, click Apply and OK button.

showhideen

 

  • Go to Local C disk, check up folders and remove malicious items related to Hades Locker Ransomware.

※Here are files Hades Locker Ransomware may create (only for reference):

%UserProfile%\AppData\Local\Temp\RarSFX0\%UserProfile%\AppData\Local\Temp\RarSFX0\Ronms.exe

%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ronms.lnk

%UserProfile%\AppData\Roaming\wow6232node\

%UserProfile%\AppData\Roaming\wow6232node\Bamvenagxe.xml

%UserProfile%\AppData\Roaming\wow6232node\Ronms.exe

Step 4: Clean up Registry Entries Related to Hades Locker Ransomware

  • Open Start menu and select Run dialogue.

win8-run

  • Type “regedit” in the dialogue box and hit Enter key.

8regedit

  • In the Windows Registry Editor, click File and then select Find…

editfind

  • Type “hwid ” (victim id number) in search box and hit Enter key.
  • Or remove malicious files according to the following paths (only for reference):

HKEY _CURRENT_USER\Software\Wow6232Node\hwid[Your ID number]

HKEY _CURRENT_USER\Software\Wow6232Node\status

Note: If you are not familiar with or used to operate PC, you will make mistakes, which may lead to system crash. In order to avoid mistaken deletion, you’d better back up registry entries. If you have still difficulties in removing registry entries, it’d advised to use professional tools in the post, which is able to detect all suspicious items and remove them automatically.

hades-locker-ransomware-remove

Automatic Removal Guide (Recommended)

SpyHunter is a professional anti-malware program which is compatible with all Windows OS. The program can not only remove computer threats including adware, browser hijacker, worms, Trojan horse and so on but also prevent your computer from attack in the future. For a compute beginner, it is easy to use.

Option 1: Remove Hades Locker Ransomware with SpyHunter

Click the button below to download SpyHunter.

 

Open the downloaded files (SpyHunter-Installer.exe), and then click Run button when the window below appears.

spyhunter-installer-exe_

Select your language and click OK button.

ok-spyhunter1

Click Continue button to continue the Installation.

continue1

Opt for “I accept the EULA and Privacy Policy” and click Install button.

install3

Wait for several minutes before the installation is completed.

step-6-exit

After the installation is finished, click Exit button.

After installation is completed, run the SpyHunter, go to “Start a New System Scan” tab, and click “Scan Computer Now!

scan

After the scan is finished, screen shows all detected items in the list (click + to read more details about the infection).

Now, press “Fix Threats” button to remove all detected threat.

fixthreat

  • Restart the computer to take effect

Note: Unregistered version of SpyHunter provides free scan and result list. To remove detected threats completely, you need to upgrade to the paid version.

Option 2: Remove Hades Locker Ransomware with PCKeeper Antivirus

Download PCKeeper Antivirus Installer on your computer.

pckeeper-antivirus-downloadbutton

Open PCKeeper Antivirus Installer, and then click Run button when a windows below appears.

run-file

Install PCKeeper Antivirus by clicking Start Install button.

pckeeper-start-install

After installation is finished, you need to wait for completion of Gathering Data.

pckeeper-gathering-data

After Gathering Data is completed, click Full Scan or Custom Scan button.

  • Full Scan is recommended if you want to check the whole system for viruses.
  • Custom Scan is recommended if you want to quickly check specific files or folders.

pckeeper-full-scan-or-custom-scan

  • Once the scan is done, you can check the box beside File Name and then click Delete button.

pckeeper-result

  • What is different from other anti-malware software is that PCKeeper Antivur scan provide you with one-to-one assistance. Whenever you encounter problems, you can turn to your expert.
  • Now start live chat by clicking earphone button/Show Support Bar and get the answer in 24 hours.

pckeeper-chat

Option 3: Remove Hades Locker Ransomware with Plumbytes Anti-Malware

  • Download Plumbytes Anti-Malware from the button below.

plumbytes-anti-malware-downloadbutton

 

  • Install Plumbytes Anti-Malware by clicking INSTALL button.

install-1

 

  • After installation is done, run Plumbytes Anti-Malware by double-clicking on openplumbytes (or Plumbytes Anti-Malware will run automatically).
  • Go to OVERVIEW, and then click Run a scan.

run-a-scan

  • After scan is finished, all detected items will show in the list. You should check the box beside Hades Locker or Select All and then click REMOVE SELECTED.

antimalware-result-1

  • Restart the computer to take effect.

How to Recover Encrypted Files

Option 1: Use Windows Previous Versions feature

Enter File Explorer (My Computer icon), click one folder filled with files you want to restore.

eg-version1

Right click on the folder and select Properties.

restoreproperties

Press Previous Versions tab, select one of Restore points when files don’t be deleted and click Restore

restore-version

Click Apply and OK button.

 

Option 2: Use System Restore

  • Open Start menu -> Type system restore into the search box -> press Enter key.

typerestore

  • In the Restore system files and settings page, you can choose Recommended restore or choose a different restore point, and then click Next.

restore-point

 

  • Choose a restore point when Hades Ransomware doesn’t enter your computer and then click Next button.

win7-systemrestore-2

 

  • Click Yes button in the pop-up window and wait for completion of System Restore.

Warm Reminder: It is important to back up the system settings regularly, which always save your computer at the crucial moment. If your computer really gets infected with Hades Locker Ransomware, please remind that removing the Ransomware should be the first step because Hades Locker Ransomware may continue to encrypt more folders and files. To remove Hades Locker Ransomware quickly & safely, you’d better use powerful removal tools in the post.

hades-locker-ransomware-remove

 

Share on FacebookShare on Google+Digg thisPin on PinterestShare on LinkedInShare on TumblrShare on RedditShare on StumbleUpon