Happy Locker Ransomware Remove and Restore .happy Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Happy Locker Ransomware Remove and Restore .happy Files

ransomware-happy-locker-sensorstechforum-ransom-note-comThe Happy Locker ransomware Is everything but happiness for the users of the computers this nasty ransomware virus infects. The malware uses the .happy file extensions to the files it encrypts, using the same source code taken from the Hidden Tear open source ransomware project. Luckily for many, the Hidden Tear ransomware variants are now decryptable, after being removed. Read this article thoroughly for more information on Happy Locker and Further instructions on how to remove it and decrypt your files.

Threat Summary


Happy Locker

Short DescriptionPart of the Hidden Tear ransomware variants. Encrypts the files with AES-256 cipher or similar and appends the .happy file extension asking for 0.1 BTC for the decryption. Decryptable (instructions below)
SymptomsThe user may witness ransom messages and “instructions” on files named READ.jpg and READDDDDDD.txt all linking to a web page and a Happy Decryptor.
Distribution MethodVia an Exploit kit and Fake BitCoin service.
Detection Tool See If Your System Has Been Affected by Happy Locker


Malware Removal Tool

User ExperienceJoin our forum to Discuss Happy Locker Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is Happy Locker Spread

In order to infect users, this virus uses a very unique method to distribute itself. Researchers report that a fraudulent BitCoin service downloaded from a suspicious website causes the infecton by HappyLocker and shortly after, the virus creates it’s malicious payload and drops a picture and a ransom note.

What Does Happy Locker Do

Once Happy Locker has caused an infection, the malware begins to drop it’s payload. The malicious payload of Happy Locker may be located onto the typical Windows folders that are targeted by ransomware.

commonly used file names and folders

After the malicious files are successfully dropped onto the computer of the user, the Happy Locker ransomware begins to encrypt files, using the AES-256 encryption algorithm. Similar to other Hidden Tear variants, like EDA2, 8lock8 and BankAccountSummary, the virus scans for widely used types of file extensions, like the most commonly used ones:


After this, the virus uses it’s distinctive .happy file extension which Happy Locker adds as a suffix to the encrypted files, making them appear like the following:


After rendering the files unopenable, Happy Locker is designed to drop a picture and a text ransom note, named “READ.jpg” and “READDDDDDD.txt”. They both contain the following ransom note:

All your files are encrypted with HAPPY Ciphers
To Decrypt:
– Open This Page : http://ysasite.com/happy/
– Follow All Steps”

The website advertised on the ransom note leads to a service that imitates one of the most dangerous ransomware viruses out there – Locky Ransomware:


How to Remove Happy Locker and Decrypt Your Files

First, before decrypting your files, you need to make sure that Happy Locker is removed. We advise doing it with an anti-malware tool to remove the ransomware quickly and completely:

Automatically remove Happy Locker by downloading an advanced anti-malware program

1. Remove Happy Locker with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Happy Locker in the future

Decrypt files encrypted by Happy Locker

After having removed Happy Locker, we advise following the below displayed decryption instructions for Hidden Tear ransomware variants like Happy Locker:

Step 1: Download the HiddenTear BruteForcer by clicking on the button below and open the archive:


HiddenTear Bruteforcer


Step 2: Extract the program onto your Desktop or wherever you feel comfortable to easily access it and open it as an administrator:


Step 3: After opening it, you should see the main interface of the brute force. From there, choose “Browser Sample” to select a sample encrypted file of the type of ransomware you are trying to decrypt:


Step 4: After this select the type of ransomware from the down-left expanding menu:


Step 5: Click on the Start Bruteforce button. This may take some time. After the brute forcing is finished and the key is found, copy it and save it somewhere on your PC in a .txt file, you will need it later.

Step 6: Download the HiddenTear Decryptor from the download button below:


HiddenTear Decrypter

Step 7: Extract it and open it, the same way with HiddenTear Bruteforcer. From it’s primary interface, paste the key copied from the BruteForcer, write the type of extension being used by the ransomware and click on the Decrypt button as shown below:


After these steps have been completed, you should immediately copy your files to an external device so that they are safe. After this has been done, we strongly recommend completely wiping your drives and reinstalling Windows on the affected machine.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website


  1. alej

    y el .happyzzz y .happyzz ? gracias

    1. Juan Carlos Cervantes Cornelio

      como hacer con el happydayzzz ?


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share