A new ransomware that has been reported to encrypt user data with the .him0m browser extension has been spotted to affect an increasing amount of users. The ransom note is in English and is very threatening and direct, giving users instructions on how to pay to decrypt their data using an anonymous p2p messenger and a message specifically written as a form of identification. This ransomware is extremely devastating, and users who are affected are warned NOT to pay the cyber criminals ransom money for several different reasons and to use the instructions we have provided below to remove the ransomware and try decrypting their data.
|Short Description||Infects the user via trojan and downloads its payload that encrypts user files to extort the user for funds.|
|Symptoms||The user may witness a text document, called “READTHISNOWORELSE.txt” and his files become corrupt and encrypted with the .him0m extension.|
|Distribution Method||Spam Mail, Malicious URLs|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by .him0m Ransomware|
|User Experience||Join our forum to discuss removal and decryption of encrypted files by .him0m Ransomware.|
How Did I Get .him0m Ransomware
In case you have been affected by this nasty virus, there are several possible ways you could have activated its malicious files. The main method of such ransomware spreading across computers is via spam mail. Spam emails come in all shapes and sizes, and cyber criminals may even use websites such as PayPal or eBay to fabricate false messages and get users to download a malicious attachment to the email or embedded as a drive-by-download in an external URL in the email message itself.
There are also other forms of this ransomware spreading. Basically, anywhere where you may have found and clicked on suspicious web links may have been the malicious one. We are talking about chat spam, visiting suspicious and risky sites as well as directly letting someone have physical access to your computer.
.Him0m Ransomware – More about It
Once activated on the user PC the ransomware is reported to use a win32 / Injector.COMJ – A trojan horse that is most likely created to deliver the ransomware`s payload on the computer. After the payload is delivered, the ransomware may begin to scan the user PC for files to encrypt.
Similar to TeslaCrypt Ransomware, the cyber-threat then may encrypt .docx, .jpg, .pdf, .xls, .mp3 and other file formats used by Microsoft Office, Adobe Reader and other useful software. In the meantime, the ransomware has been reported to have countermeasures against certain notorious anti-malware software such as Malwarebytes Anti-Malware. Affected users report a ”Runtime Error” given while trying to launch MBAM to scan and remove the malware. The files are encrypted with the .him0m extension and upon opening Windows displays a ”File Corrupt” type of message.
After the user`s files have been successfully encrypted, they look like the following:
After encrypting the files, the ransomware may also encrypt the names of the files, concealing the file name from the user. Furthermore, after the encryption process is complete, the ransomware leaves the following ransom note:
Analyzing the note, this is one of the cases where instead of using Tor networking, the cyber criminals have preferred to use an anonymous p2p chat called Bitmessage. Given the seriousness of this ransom note, they are not willing to even negotiate the ransom amount. Despite the fact that according to the note, the Ransomware may use a unique key featuring algorithm, like the RSA, the actual algorithm may be different. No matter how important your files may be, we strongly advise against paying the ransom money because of the following reasons:
- The cyber-criminals may not provide you with decryption keys.
- You fund them to complicate their malware and initiate spam campaigns to spread it further.
Without going into much detail, in case you have been affected from such ransomware, it is imperative to immediately disconnect the computer from your home or office network since such malware usually may have some worm features that may allow it to spread to other computers in the network as well.
Removing .him0m Ransomware
To remove this ransomware, you should isolate your computer from any networks first. Then it is advisable to download an advanced anti-malware software updated with the latest definitions on a safe device, preferably in an offline installer. After this, you should follow the step-by-step instructions below using the anti-malware tool on your infected PC to eradicate this ransomware. What is more, having such software will protect your computer from having any issues like this one in the future.
Restoring Files Encrypted by .him0m Ransomware
When it comes to restoring data encrypted by ransomware, there are always complications. The encryption algorithms used have usually been created for the government, for defensive purposes, hence their strength. But do not worry because some ransomware Trojans may actually encrypt your data partially and the good news is you may have a chance using one of the following methods:
Shadow Explorer is an external program that restores files from the Shadow Volume Copies in Windows. Instructions and installer for Shadow Explorer you may find in the current link.
Data Recovery Software:
Such software can be used to scan for the sectors of your hard drive and restore your files:
- Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
- Data Recovery Pro by Pareto Logic
- Stellar Phoenix Windows Data Recovery
- Stellar Phoenix Photo Recovery
Kaspersky is frequently updated when it comes to ransomware, developing decryption tools for most well-known algorithms. To try decrypting your files with the decryption tools, try downloading them from this web link.
Using Python in Linux
If the encryption algorithm is RSA you may have a chance decrypting your data by using the instructions in the here mentioned article.