Remove HiddenBeer Ransomware (.beer Extension)

Remove HiddenBeer Ransomware (.beer Extension)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

FILES-HELP-USER.TXT ransom message HiddenBeer ransomware sensorstechforum

This article explains the issues that occur in case of infection with HiddenBeer ransomware and provides a complete guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.

The HiddenBeer ransomware invades computer systems in order to encode particular files by utilizing strong cipher algorithm. After data corruption, it demands a ransom payment of $100 in Bitcoin for a decryption key. It appears to be a strain of the HiddenTear ransomware family which was initially created for educational purposes. Files encrypted by this ransomware could be recognized by the extension .beer that is appended to their original names.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionA data locker ransomware that utilizes AES cihper algorithm to encrypt important files stored on infected devices. To decrypt files it demands a ransom payment.
SymptomsImportant files are corrupted and inaccessible. They are all renamed with .beer extension. A ransom note appears on screen to extort a ransom.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by HiddenBeer


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss HiddenBeer.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

HiddenBeer Ransomware – Distribution

HiddenBeer ransomware infection begins after its payload is started on a target host. Since this should happen without your knowledge hackers bet on various shady spread techniques. They all attempt to trick you into starting the malicious code on your system. The payload is usually an executable file. Its unattended load could happen along with a load of a corrupted email attachment or web page. Spam emails part of ransomware spread campaigns are often designed to resemble the emails we receive from legitimate sources.

So by spoofing the email sender and email address, hackers could easily mislead you that the email is sent by a representative of well-known institution or business service like

PayPal, DHL, FedEx, and Amazon.

As of the compromised email elements they are usually file attachments presented as important documents, pictures, invoices, notifications, bills, taxes or URLs that load a corrupted web page in the browser. Once opened the compromised attachment or the corrupted web page they trigger the ransomware infection.

HiddenBeer Ransomware – Overview

HiddenBeer crypto virus belongs to HiddenTear ransomware family. An infection with this threat begins soon after its payload is started on a target system. When this event occurs the ransomware becomes able to run various malicious commands in order to plague predefined system settings and continue with the attack.

For the attack HiddenBeer ransomware is likely to connect its command and control server and download additional malicious files needed for the following infection stages. There are several folders that are commonly used by crypto viruses to store their malicious files and objects and they are:

  • %Temp%
  • %Roaming%
  • %UserProfile%
  • %AppData%

In order to achieve a higher level of persistence the ransomware is likely to be configured to add new registry entries in particular Windows registry sub-keys. Changes usually support the automatic execution of malicious files on each Windows OS start. By adding values under the sub-key presented below, HiddenBeer is also able to open its ransom note soon after the encryption process is done:


And here is the text presented by the ransom message of HiddenBeer:

Your files have been encrypted.
Why have they been encrypted?
To help ensure your security.
To get them decrypted by our specialists,
just send $100 worth of Bitcoin(BTC), to: 33Lf7BrDXwNBMM4ZVg5dMQg1Bvuwzd1VQm.
Afterwards send a Email to “” with your computer name and transaction data.
Computer name: HAPUBWS-PC
Once you have your decryption key, Use it in the file decrypter.
If it isn’t open, goto your Desktop and run “@FILE-DECRYPTER.exe”

FILES-HELP-USER.TXT ransom message HiddenBeer ransomware sensorstechforum

The message is contained in a file called FILES-HELP-USER.TXT and as revealed it aims to extort a ransom of $100 for files decryption. Beware that paying the ransom does not guarantee the recovery of your .beer files so we advise you to attempt to fix the problem with the help of available alternative solutions.

HiddenBeer Ransomware – Encryption Process

Once HiddenBeer ransomware implements the sequence of malicious activities that plagues the system, it is ready to continue with data encryption stage. For it, the ransomware performs a scan of all computer drives to locate and encrypt each file which appears in its target data list. During data encryption process, similar to previous HiddenTear variants (

AngleWare, Proticc, The Brotherhood just to name a few) HiddenBeer ransomware is believed to use AES cipher algorithm. This cipher modifies parts of the original code of target files making their new versions completely unusable.

Unfortunately, HiddenBeer crypto virus is likely to be set to corrupt files of commonly used types as they usually store valuable information. So you may find that all of the following files are no longer accessible:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

After a file is encrypted, it could be recognized by the file extension .beer as it is appended to the original names of all corrupted data. Upon encryption, HiddenBeer is also reported to replace desktop wallpaper with its own image that depicts the text YOUR FILES ARE ENCRYPTED and has the following look:

your files are encrypted desktop image hiddenbeer ransomware

Remove HiddenBeer Ransomware and Restore .beer Files

Below you could find how a step-by-step removal guide that may be helpful in attempting to remove HiddenBeer ransomware. The manual removal approach demands practice in recognizing traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So it should be secured properly before it could be used regularly again.

The automatic approach enables you to check the infected system for ransomware files and remove them with a few clicks after the scan. Reliable anti-malware program is also one of the best ways to protect the PC from ransomware. Additional security layer that will prevent you from ransomware attacks is

anti-ransomware tool.

If you want to understand how to fix .GMPF files without paying the ransom make sure to read carefully all the details mentioned in the step “Restore files” from the guide below. Beware that before recovery process you should back up all encrypted files to an external drive in order to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share