.HELLO File Virus - How to Remove + Restore Files (Xorist)

.HELLO File Virus – How to Remove + Restore Files (Xorist)

photo file encrypted by .HELLO file virus Xorist ransomware sensorstechforum

This article provides detailed removal instructions of the latest variant of Xorist ransomware as well as possible choices for .HELLO files recovery.

The .HELLO file virus is encrypting malware of ransomware variety that belongs to the Xorist ransomware family. Thus, it targets valuable files, corrupts them and extorts victims for a ransom payment. The threat drops a file called HOW TO DECRYPT FILES.txt that contains a ransom message from cyber criminals. The .HELLO file virus appears to be a new iteration of Xorist ransomware that is using the specific .HELLO file extension for all corrupted files. Since the threat is available on the black market, anyone who knows how to look for it can buy it online and launch attack campaigns.

Threat Summary

Name.HELLO File Virus
Short DescriptionThe ransomware encrypts files on your computer, appends the extension .HELLO to them and displays a ransom message afterward.
SymptomsYour valuable files become inaccessible and are renamed with the extension .HELLO. For their decryption a ransom note appears on the PC screen and demands a ransom payment.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .HELLO File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .HELLO File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.HELLO File Virus – Spread Techniques

The computer infection can be triggered by a single file that just needs to be running on the system. This file is usually presented as an email attachment to legitimate looking email. Cyber criminals carefully craft the message so it is more likely to convince you to download and open the attachment on the PC. File attachments may be various file types generally documents, ZIP archives and JavaScript. Most of the malicious files are designed to trigger the ransomware infection at the moment you open them. The documents contain embedded malicious code that asks to be enabled to start the system infection.

The .HELLO file virus may also be distributed via corrupted web links that contain the malicious ransomware payload and are set to auto download it once you land on them. Such links can be again part of spam email campaigns or send via social media channels and displayed as online advertisements.

.HELLO File Virus – More Information

Once the malicious executable ransomware file is running on the PC, it may establish a remote connection with server controlled by hackers drops additional malware files and send them gathered information about the device. Files associated with .HELLO file virus may be situated in the following folders:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %Common%
  • %{User’s Profile}%

However, they may be hidden or dropped under the names of familiar processes and thus be really hard to find. Another complicated sequence of the new Xorist ransomware is changed settings of the list of Windows start apps that is believed to be plagued by the threat. By adding new values under the Run and RunOnce registry keys, .HELLO file virus set its auto execution whenever the system is started. That’s why it is essential to enter the Registry Editor and fix all entries made by the ransomware. Otherwise, it will continue to load each time you start the Windows OS.

A way to prevent file restore from the Shadow Volume copies is opening the Command Prompt and running the command line “vssadmin.exe Delete Shadows /All /Quiet”. It will remove all shadows and reduce the .HELLO data recovery chances with one.

.HELLO File Virus – Encryption Process

The previous Xorist ransomware infection is reported to encrypt files by using the XOR or TEA cipher algorithms. It is not clear whether .HELLO file virus has the same encryption module or no, as it may be possessed by other hackers who have modified its code.

However, it is likely that upon infection the .HELLO file virus begins to scan for the following files and encrypt them:

→.zip, .rar, .7z, .tar, .gzip, .jpg, .jpeg, .psd, .cdr, .dwg, .max, .bmp, .gif, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf, .djvu, .htm, .html, .mdb, .cer, .p12, .pfx, .kwm, .pwm, .1cd, .md, .mdf, .dbf, .odt, .vob, .ifo, .lnk, .torrent, .mov, .m2v, .3gp, .mpeg, .mpg, .flv, .avi, .mp4, .wmv, .divx, .mkv, .mp3, .wav, .flac, .ape, .wma, .ac3

All corrupted files are marked with the malicious .HELLO file extension and are no longer accessible. The good news is that specialists from Kaspersky team have released a decryptor for the previous Xorist version that is likely to be working for .HELLO files recovery too.

So once you delete the ransomware from the computer, be sure to back up all encrypted files and check the restore step from the guide below.

An apparent trait of this new version of Xorist ransomware dubbed .HELLO file virus is the ransom note it displays after the encryption is done. A file named HOW TO DECRYPT FILES.txt is dropped in every folder that contains encrypted .HELLO files. By modifying registry keys again, the ransomware displays its message on the screen. The message appears in a Windows error pop up that reads the following:

Ooops, your files have been encrypted!
-What Happen to my computer? Your important files are encrypted
Many of your documents, photos, passwords, databases and other files are no longer accessible because they have been encrypted . Maybe you are busy looking for a way to recover your data, but do not waste your time . Nobody can recover your files without our decryption KEY
-Can i Recover My Files?
Sure.We guarantee that you can recover all your files safely and easily
But You have not so enough time .
So If you want to decrypt all your files, you need to pay .
You only have 12H to submit the payment.After that price will be doubled Also, If the transaction is not completed within 24 hours your files will be permanently deleted.
How To buy bitcoins hxxps://www.bitcoin.com/buy-bitcoin
And Send the the correct amount to this address 0.05 BTC

.HELLO file virus HOW TO DECRYPT FILES Windows error pop up ransom message sensrstechforum

It becomes clear that .HELLO ransomware authors demand 0.05 Bitcoins for the first 12 hours after infection. After the 12th hour the price is doubled. Threatening victims that their files will be permanently deleted they hope that more users will transfer the money as soon as possible. However, do not fall into their trap if you don’t want to lose your money and keep all .HELLO data encrypted.

Remove .HELLO File Virus and Restore Data

The .HELLO file virus should be removed as soon as possible from the infected computer because its presence endangers your private files and the overall system security. Beware that it has a complex code that modifies various system settings and processes in order to ensure its stable attendance on the PC. For the best removal results, security experts recommend the assistance of professional anti-malware tool.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share