BlackHat Ransomware – Remove and Restore .H_F_D_locked FIles

BlackHat Ransomware – Remove and Restore .H_F_D_locked FIles

This article aims to help you by showing how to remove the new BlackHat ransomware virus and how to restore .H_F_D_locked files without having to pay the ransom.

A ransomware virus, mocking the BlackHat hacking convention has appeared in the wild. The virus gives victims a deadline of 12 hours to pay a ransom and unlock the files which it has previously encrypted after infecting their computer. In addition to this, the BlackHat ransomware also adds it’s distinctive .H_F_D_locked to the encrypted files. In case your computer has been infected by the BlackHat ransomware, we advise you to read the following article to learn how to remove it and restore your files without having to pay the ransom.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionA file-encryption type of ransomware. Aims to render the important files no longer openable until a ransom is paid.
SymptomsEncrypts the files on the infected computers by it after which adds the .H_F_D_locked file suffix to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by BlackHat


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BlackHat.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does BlackHat Ransom Virus Infect PC’s

The infection process of this ransomware virus is similar to other ransomware viruses out there. The cyber-criminals who are behind it may send massive spam messages to users, which look somewhat like the following:

The e-mails may usually have attachments in them posing as the legitimate files they are described to be, but may also contain a web link to external websites for file sharing, such as Dropbox in order to avoid blocking the e-mails from being sent.

The malicious file of the virus, responsible for the infection and encryption is reported by researchers to be the following:

BlackHat Ransomware – Malicious Activity

When the victims of BlackHat ransomware open the malicious files of the virus, the payload may be dropped onto the victim’s computer in the following Windows locations:

  • %AppData%
  • %Roaming%
  • %Local%
  • %Temp%

After the payload is dropped, the BlackHat ransomware may perform a set of activities, starting with obtaining administrative privileges. These may be used to modify the following Windows registry sub-keys adding entries in them with the location of the malicious files:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the BlackHat ransomware may also delete the shadow volume copies on the infected computer, which may result in deleting the shadow volume copies of Windows via the following commands:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

In addition to this, the virus drops it’s distinctive ransom note, mocking the black hat hacking conference:

Text from note:

Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of Blackhat will not restore access to your encrypted files.

BlackHat Ransomware – Encryption

The encryption process of BlackHat ransomware is done with the aid of the XOR encryption algorithm which is generally a strong cipher, only a bit outdated. The cipher renders important documents, audio files, videos, archives and other types of files no longer openable. The BlackHat ransomware may attack files which have the following file types:


After encrypting your files, the BlackHat virus leaves them with the .H_F_D_locked file extension and the files appear like the following:

Remove BlackHat Ransomware and Restore .H_F_D_locked Files

Before actually getting down to the virus removal and recovery part, it is important to back up your data, even though it is encrypted.

Then, for the removal of .H_F_D_locked file virus, it is recommended to follow the instruction steps from the removal manual below. They are specifically designed to help you remove the .H_F_D_locked files virus after isolating it. However, for maximum effectiveness or if you do not have the experience in manual removal, experts always advise turning to the appropriate anti-malware software for automatic removal of BlackHat.

If you want to restore files that have been encrypted by .H_F_D_locked ransomware, we would suggest that you try the alternative methods for file recovery down in step “2. Restore files encrypted by BlackHat”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share