The Happy Locker ransomware Is everything but happiness for the users of the computers this nasty ransomware virus infects. The malware uses the .happy file extensions to the files it encrypts, using the same source code taken from the Hidden Tear open source ransomware project. Luckily for many, the Hidden Tear ransomware variants are now decryptable, after being removed. Read this article thoroughly for more information on Happy Locker and Further instructions on how to remove it and decrypt your files.
|Short Description||Part of the Hidden Tear ransomware variants. Encrypts the files with AES-256 cipher or similar and appends the .happy file extension asking for 0.1 BTC for the decryption. Decryptable (instructions below)|
|Symptoms||The user may witness ransom messages and “instructions” on files named READ.jpg and READDDDDDD.txt all linking to a web page and a Happy Decryptor.|
|Distribution Method||Via an Exploit kit and Fake BitCoin service.|
See If Your System Has Been Affected by Happy Locker
Malware Removal Tool
|User Experience||Join our forum to Discuss Happy Locker Ransomware.|
How Is Happy Locker Spread
In order to infect users, this virus uses a very unique method to distribute itself. Researchers report that a fraudulent BitCoin service downloaded from a suspicious website causes the infecton by HappyLocker and shortly after, the virus creates it’s malicious payload and drops a picture and a ransom note.
What Does Happy Locker Do
Once Happy Locker has caused an infection, the malware begins to drop it’s payload. The malicious payload of Happy Locker may be located onto the typical Windows folders that are targeted by ransomware.
After the malicious files are successfully dropped onto the computer of the user, the Happy Locker ransomware begins to encrypt files, using the AES-256 encryption algorithm. Similar to other Hidden Tear variants, like EDA2, 8lock8 and BankAccountSummary, the virus scans for widely used types of file extensions, like the most commonly used ones:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
After this, the virus uses it’s distinctive .happy file extension which Happy Locker adds as a suffix to the encrypted files, making them appear like the following:
After rendering the files unopenable, Happy Locker is designed to drop a picture and a text ransom note, named “READ.jpg” and “READDDDDDD.txt”. They both contain the following ransom note:
→ “IMPORTANT INFORMATION! ! ! !
All your files are encrypted with HAPPY Ciphers
– Open This Page : http://ysasite.com/happy/
– Follow All Steps”
The website advertised on the ransom note leads to a service that imitates one of the most dangerous ransomware viruses out there – Locky Ransomware:
How to Remove Happy Locker and Decrypt Your Files
First, before decrypting your files, you need to make sure that Happy Locker is removed. We advise doing it with an anti-malware tool to remove the ransomware quickly and completely:
Automatically remove Happy Locker by downloading an advanced anti-malware program
Decrypt files encrypted by Happy Locker
After having removed Happy Locker, we advise following the below displayed decryption instructions for Hidden Tear ransomware variants like Happy Locker:
Step 1: Download the HiddenTear BruteForcer by clicking on the button below and open the archive:
Step 2: Extract the program onto your Desktop or wherever you feel comfortable to easily access it and open it as an administrator:
Step 3: After opening it, you should see the main interface of the brute force. From there, choose “Browser Sample” to select a sample encrypted file of the type of ransomware you are trying to decrypt:
Step 4: After this select the type of ransomware from the down-left expanding menu:
Step 5: Click on the Start Bruteforce button. This may take some time. After the brute forcing is finished and the key is found, copy it and save it somewhere on your PC in a .txt file, you will need it later.
Step 6: Download the HiddenTear Decryptor from the download button below:
Step 7: Extract it and open it, the same way with HiddenTear Bruteforcer. From it’s primary interface, paste the key copied from the BruteForcer, write the type of extension being used by the ransomware and click on the Decrypt button as shown below:
After these steps have been completed, you should immediately copy your files to an external device so that they are safe. After this has been done, we strongly recommend completely wiping your drives and reinstalling Windows on the affected machine.