Hades Locker Ransomware Removal Guide

Although Hades Locker Ransomware is just a different version of WildFire Ransomware, these threats are very different. For one, the original ransomware infection has been dismantled already after security experts seized Command & Control servers. It appears that cyber criminals learned from their mistakes because the new version of this infection is unbeatable. While the victims of the WildFire infection got their decryption keys for free, this is unlikely to happen with the new version. Has this infection slithered into your operating system? It is not yet known how this threat spreads across the web, but our guess is that it is using spam email attacks. Did the encryption of your files start soon after you opened a suspicious file attached to a spam email? Unfortunately, if the encryption has been completed, there is little you can do. If you want to learn more about your options, as well as how you can delete Hades Locker Ransomware, please continue reading.

Three files (README_RECOVER_FILES_[victim_id].html, README_RECOVER_FILES_[victim_id].png, and README_RECOVER_FILES_[victim_id].txt) are created as soon as Hades Locker Ransomware is done encrypting your files. These HTML, PNG, and TXT files all deliver the same message: You need to pay a ransom. At the time of research, the sum requested was 1 Bitcoin, which is quite a common amount, as this sum translates to around $600 and €550, and that is quite substantial. Now, whether or not your payment would result in the production of a decryption key is unknown. What we know is that there are plenty of users who have been affected by different ransomware infections and who claim that they were fooled. We cannot claim that your ransom payment would be empty, but we know that the risk is very real. Do you want to lose both, your files and your money? If you do not, you will think carefully before you make any payments and remove Hades Locker Ransomware.

Did you know that Hades Locker Ransomware can delete Shadow Volume Copies of your files by calling the “WMIC.exe shadowcopy delete /nointeractive” command? If you had set up a restore point, this will prevent you from restoring files. Of course, the biggest obstacle preventing you from unlocking your files is a decryption tool. Unless you have this key, the encrypted files – the ones with the “.~HLN3WQG” extension attached to them – will remain unreadable. You might have noticed that the extension also includes a funny code. This code is your unique ID; the same one that you will be introduced to via the ransom notes. According to our research team, the first thing that Hades Locker Ransomware does upon execution is connecting to ip-api.com/xml. By doing this, the ransomware records your IP address and geo-location. A unique ID number is generated, and this information is then collectively sent to a remote Command & Control server. After that, the server responds with a password that is used for the encryption of your files.

The first thing you should do when you discover the ransomware is analyze the state of your files. It was found that Hades Locker Ransomware avoids files that are located in folders whose names have specific strings, such as “windows” or “program files.” Now, it is unlikely that you store your own personal data within such folders, but you should analyze all other folders and subfolders. Hopefully, you will realize that most essential and valuable files are stored in a secure backup, which means that you do not need to worry about them. What about less valuable files? If they are not that important, maybe you should sacrifice them? After all, the ransom fee requested for a decryption tool – and we do not know whether or not you would get – is pretty big, and the files you are worried about might not be worth it.

Malware researchers agree that it is important to remove Hades Locker Ransomware from your operating system as soon as possible. Even though it is stated that you have a week to make the decision and initiate the decryption of your files, we do not recommend wasting so much time. If you choose to take the risk of paying for the decryption key, make sure you are okay with possibly losing this amount. If you make peace with the loss of files, make sure you are sure of it because there is no turning back after that. Whichever of these two is your decision, you MUST delete Hades Locker Ransomware, and we advise installing automated malware removal software for that. If you are sure you can identify all malicious components yourself, you might be able to successfully eliminate the ransomware using the manual removal guide below.

How to delete Hades Locker Ransomware

1. Delete README_RECOVER_FILES_[victim_id].html, README_RECOVER_FILES_[victim_id].png, and README_RECOVER_FILES_[victim_id].txt files scattered around your PC.
2. Simultaneously tap Win+E to launch Windows Explorer.
3. Enter %APPDATA%\wow6232node\ into the address bar.
4. Right-click and Delete the malicious .exe file.
5. Another location where the malicious .exe file might hide is %TEMP%\RarSFX0\ (if the .exe file is not found in either of these paths, use a malware scanner to locate it for you).
6. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ (Windows XP users need to enter %ALLUSERSPROFILE%\Start Menu\Programs\Startup\) into the address bar.
7. Right-click and Delete the malicious .exe file.
8. Simultaneously tap Win+R to launch RUN and enter regedit.exe.
9. In Registry Editor move to HKCU\Software\WOW6232Node.
10. Right-click and Delete the value named hwid.
11. Right-click and Delete the value named status.