Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Happy Locker Ransomware Remove and Restore .happy Files

ransomware-happy-locker-sensorstechforum-ransom-note-comThe Happy Locker ransomware Is everything but happiness for the users of the computers this nasty ransomware virus infects. The malware uses the .happy file extensions to the files it encrypts, using the same source code taken from the Hidden Tear open source ransomware project. Luckily for many, the Hidden Tear ransomware variants are now decryptable, after being removed. Read this article thoroughly for more information on Happy Locker and Further instructions on how to remove it and decrypt your files.

Threat Summary

Name

Happy Locker

Type Ransomware
Short Description Part of the Hidden Tear ransomware variants. Encrypts the files with AES-256 cipher or similar and appends the .happy file extension asking for 0.1 BTC for the decryption. Decryptable (instructions below)
Symptoms The user may witness ransom messages and “instructions” on files named READ.jpg and READDDDDDD.txt all linking to a web page and a Happy Decryptor.
Distribution Method Via an Exploit kit and Fake BitCoin service.
Detection Tool See If Your System Has Been Affected by Happy Locker

Download

Malware Removal Tool

User Experience Join our forum to Discuss Happy Locker Ransomware.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is Happy Locker Spread

In order to infect users, this virus uses a very unique method to distribute itself. Researchers report that a fraudulent BitCoin service downloaded from a suspicious website causes the infecton by HappyLocker and shortly after, the virus creates it’s malicious payload and drops a picture and a ransom note.

What Does Happy Locker Do

Once Happy Locker has caused an infection, the malware begins to drop it’s payload. The malicious payload of Happy Locker may be located onto the typical Windows folders that are targeted by ransomware.

commonly used file names and folders

After the malicious files are successfully dropped onto the computer of the user, the Happy Locker ransomware begins to encrypt files, using the AES-256 encryption algorithm. Similar to other Hidden Tear variants, like EDA2, 8lock8 and BankAccountSummary, the virus scans for widely used types of file extensions, like the most commonly used ones:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After this, the virus uses it’s distinctive .happy file extension which Happy Locker adds as a suffix to the encrypted files, making them appear like the following:

encrypted-files-happy-locker-ransowmare-sensorstechforum-com

After rendering the files unopenable, Happy Locker is designed to drop a picture and a text ransom note, named “READ.jpg” and “READDDDDDD.txt”. They both contain the following ransom note:

→ “IMPORTANT INFORMATION! ! ! !
All your files are encrypted with HAPPY Ciphers
To Decrypt:
– Open This Page : http://ysasite.com/happy/
– Follow All Steps”

The website advertised on the ransom note leads to a service that imitates one of the most dangerous ransomware viruses out there – Locky Ransomware:

happy-decryptor-sensorstechforum-malware

How to Remove Happy Locker and Decrypt Your Files

First, before decrypting your files, you need to make sure that Happy Locker is removed. We advise doing it with an anti-malware tool to remove the ransomware quickly and completely:

Automatically remove Happy Locker by downloading an advanced anti-malware program

1. Remove Happy Locker with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Happy Locker in the future

Decrypt files encrypted by Happy Locker

After having removed Happy Locker, we advise following the below displayed decryption instructions for Hidden Tear ransomware variants like Happy Locker:

Step 1: Download the HiddenTear BruteForcer by clicking on the button below and open the archive:

Download

HiddenTear Bruteforcer


1-hidden-tear-bruteforcer-download-sensorstechforum

Step 2: Extract the program onto your Desktop or wherever you feel comfortable to easily access it and open it as an administrator:

2-hidden-tear-bruteforcer-extract-sensorstechforum

Step 3: After opening it, you should see the main interface of the brute force. From there, choose “Browser Sample” to select a sample encrypted file of the type of ransomware you are trying to decrypt:

3-Hiddentear-sensorstechforum-bruteforcer-main-panel

Step 4: After this select the type of ransomware from the down-left expanding menu:

4-hidden-tear-choose-ransowmare-variant-sensorstechforum

Step 5: Click on the Start Bruteforce button. This may take some time. After the brute forcing is finished and the key is found, copy it and save it somewhere on your PC in a .txt file, you will need it later.

Step 6: Download the HiddenTear Decryptor from the download button below:

Download

HiddenTear Decrypter

Step 7: Extract it and open it, the same way with HiddenTear Bruteforcer. From it’s primary interface, paste the key copied from the BruteForcer, write the type of extension being used by the ransomware and click on the Decrypt button as shown below:

5-hiddentear-decrypter-password-decrypt-sensorstechforum

After these steps have been completed, you should immediately copy your files to an external device so that they are safe. After this has been done, we strongly recommend completely wiping your drives and reinstalling Windows on the affected machine.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • alej

    y el .happyzzz y .happyzz ? gracias

    • Juan Carlos Cervantes Cornelio

      como hacer con el happydayzzz ?

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.