Malware analysts have detected a new ransomware infection Newht Ransomware based on Hidden Tear - an open source ransomware. Although it encrypts files and then drops a ransom note, it will not offer you to purchase the decryption key like the majority of other ransomware infections, so, according to specialists at 411-spyware.com, this infection might be used for testing/educational purposes only. If it is true, you should not detect Newht Ransomware on your computer. Of course, theoretically, this infection might be taken over by cyber criminals one day. They might update it and then use it to obtain money from users. Ransomware infections usually encrypt files and then tell users that they can decrypt them only with the special decryption key which they can purchase from cyber criminals. As mentioned above, the version our specialists have tested does not do that, but users who encounter it are still not allowed to keep this infection on their computers because it is capable of encrypting files although it does not demand a ransom, meaning that it might strike again and lock important files one more time.
If Newht Ransomware ever enters your computer, it will first scan it and detect files having certain extensions. These are the extensions it encrypts: .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, and .pdf. It will encrypt files containing these filename extensions no matter where they are located – only files located in the %APPDATA% directory will be left unencrypted. It is not hard to say which of the files have been locked because they receive the .htrs filename extension (newer versions of Newht Ransomware might also append the .ruby extension, according to experts). When all files are ciphered with the AES encryption algorithm and get a new extension, a file readme.txt is dropped by ransomware. It contains one sentence “Files have been encrypted!” and a unique user’s ID. This threat does not tell users that they can purchase the decryption key and easily unlock files, which clearly shows that it does not seek to extract money from users. Newht Ransomware is definitely not a prevalent threat, but if it somehow manages to sneak onto your computer or you download it from a corrupted page thinking that it is harmless, you will, most likely, find your files encrypted and having the .htrs extension. As you already know, you cannot purchase the decryption key and use it to decrypt your files, which means that you can get your files back only if you have ever backed them up, i.e. you can restore files from a backup.
The encryption of files is not the only activity this ransomware infection performs. It has also been noticed that it connects to the local server http://192.168.200.1/write.php? using the password ms6pLXCyvz2LJC7UKZmc!@#$*. Additionally, it checks if the Virtual machine is used. If it is found, none of the files are encrypted. According to specialists at 411-spyware.com, this also shows that it has been developed for testing/educational purposes. Unfortunately, as you should already know if you have read previous paragraphs, cyber criminals might start using it to get money from people too.
We cannot tell you how Newht Ransomware is spread because it is surely not disseminated actively at the time of writing. Everything might change in the future, though. If Newht Ransomware ever becomes a cyber criminals’ tool used for extracting money from users easily, it will be mainly spread in spam emails, our specialists believe. Also, it might be available for download on certain third-party pages as well. Ransomware and other malicious applications will not enter your computer only if you install a security application and keep it enabled, so do this as soon as possible.
You need to perform only two removal steps to fully delete Newht Ransomware from your computer. First, go to kill the malicious process it uses. Second, remove all files you have recently downloaded or opened. They might be located in %TEMP%, %USERPROFILE%\Downloads, and %USERPROFILEL%\Desktop. If it happens that you cannot find them, use an automatic malware remover – it will detect and eliminate those files fast.