Skull HT Ransomware is a dangerous threat distributed via malicious email attachments the infection’s victims may receive via Spam. The interesting part is that the harmful application seems to target only a particular directory, which means it might not do as much damage as other similar malware. The note left behind after user’s files get enciphered tells it was done by an open source file-encrypting program named Hidden Tear. Our specialists say Skull HT Ransomware is not the same threat; even though it was based on Hidden Tear, it is a slightly different version. Not to mention, this project was completed for educational purposes, and the ransomware in question comes from hackers who wish to extort money from their victims. To learn more details, you could continue reading the article, and if you decide it would be best to get rid of the malware, we can offer the recommended deletions steps available at the end of the text too.
The malicious application’s launcher could be titled The Art of Amazon Carding.pdf.exe or The Art of Amazon Carding.exe, and so on. Soon after such a file is launched the threat may create a copy of itself called local.exe in the %HOMEDRIVE%\user\Rand123 directory. The folder titled Rand123 should be created by Skull HT Ransomware too. Besides the mentioned data, the infection could also create a text document called READ_ME.txt in the %USERPROFILE%\Desktop directory. As you realize this text document is a ransom note, but we will discuss the message it contains a bit later.
According to our researchers Skull HT Ransomware might target only the %USERPROFILE% directory and its subfolders, e.g., Desktop, Contacts, Downloads, Music, Favorites, and so on. It should encipher various files located on the mentioned directories with a strong cryptosystem. For instance, the malware could encrypt data with .txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .py, .sql, .mdb, and other extensions. Afterward, the damaged files should be marked with an additional extension called .locked, e.g., document.txt.locked. To ask for a ransom the malicious application should place the text document we mentioned earlier and possibly change the user’s Desktop image with a picture downloaded from a particular server.
The new Desktop image might also suggest the computer was infected with the open source ransomware called Hidden Tear. It could be done to merely confuse the user and make it more difficult to find information about Skull HT Ransomware. Then it should recommend not to panic and read the information on READ_ME.txt. The message you should find after opening this file suggests paying a ransom of 0.00156 BTC to a provided Bitcoin wallet address and emailing the hackers. If you believe what they say they are supposed to “supply You with the Decryption Key And tool” soon after the payment is made. Of course, even if the sum does not look like a lot, we would not recommend paying it to the malware’s creators. There are no guarantees they will do as they promise and if the malicious application did not lock any important data to you; risking with even the smallest amount of money might be not worth it.
Users who have no intention to pay any money to the hackers should simply erase the malware. The threat can be removed with a reliable antimalware tool or manually by the user himself. If you prefer the latter option, we advise following the recommended deletion steps. They will explain how to find and how to remove files associated with Skull HT Ransomware one by one. As for enciphered data you can recover it later if you have any backup copies.
# | File Name | File Size (Bytes) | File Hash |
---|---|---|---|
1 | local.exe | 219136 bytes | MD5: 0293b9b0ba24a023fc66df72de73b703 |
2 | ransom.jpg | 4029324 bytes | MD5: 1e6b062fd835681a4b76357613e41342 |
# | Process Name | Process Filename | Main module size |
---|---|---|---|
1 | local.exe | local.exe | 219136 bytes |