.honor Files Ransomware Virus - How to Remove It and Restore Data

.honor Files Ransomware Virus – How to Remove It and Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article aims to help you by showing you how to remove the .honor files virus (“honor’s ransomware”) from your computer and how to restore files, encrypted by it.

New ransomware infection, dubbed “honor’s ransomware” has been reported by security analyst GrujaRS to infect the computers of victims and then encrypt their documents, music, pictures plus other important files in order to hold them hostage until a ransom has been paid in BitCoin. The malware has also been reported to completely rename the encrypted files and then leave behind .honor extension plus instructions on how to get them back. So far, researchers have managed to establish that the code of this virus is based on the open-source virus, called “My Little Ransomware”, which was uploaded two years ago on GitHub.If your computer has been infected by the .honor files virus, we strongly suggest that you read the following article in order to learn more about this ransomware cryptovirus and how to remove it from your computer plus how to try and restore .honor encrypted files without paying cyber-crooks.

Threat Summary

Name.honor Ransomware
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer, using a combination with RSA and AES encryption algorithms, which generates unique decryption keys and asymmetric key.
SymptomsFiles are renamed with symbols, letters and numbers and have the .honor file extension added in the end.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .honor Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .honor Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.honor Files Virus – Infection Methods

The primary method of propagation of this malware is conducted via e-mail spam messages. Such are often created with the aim to spread various different types of malicious e-mail attachments, which only pretend to be legitimate in order to get victims to open them. Such e-mails often have convincing statements within them, that aim to get victims to trust the message and open the attachment. Here is an example of how such e-mail may appear like:

In addition to via e-mail, the virus may also infect your computer via other methods, like upload a file on malicious websites.

.honor Files Virus – More Informaton

Once the .honor file extension ransomware has infected your computer, the virus may perform series of unwanted activities which end witht the malware encrypting the important files on victims’ computers. The .honor files virus may firstly connect to a remote command and control server and from it download it’s malicious payload files, which may reside in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The primary malicious file which was detected in association with the Honor ransomware infection has been reported to have the following parameters in the site VirusTotal:

SHA-256: e3ba5cad3da4c50412cd2bc2cfaa5332cf2578a913b14d81cafc1465a12e301b
Name: honor’s malware.exe
Size: 15 KB

In addition to this, file encryption has been reported to perform various different types of activities on the computer of the victim. The malware may schedule system tasks to run automatically on system boot and may also modify the run and runonce sub-keys by adding value strings with the files it may run automatically on system startup, such as the .exe file, that has been reported to cause the encryption. The sub-keys have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to modifying the Windows Registry sub-keys, the malware may also perform other activities on your computer, such as have your backups and shadow copies deleted via the vssadmin and bcedit commands. These may be ran automatically after the virus overrides Windows defenses and assumes administrative privileges. The commands are as follows and they may be ran via a script file:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The deleted shadow copy files and backup types of files by the .honor ransomware may be of the following file types:

→ .VHD .bac .bak .wbcat .bkf ,backup, .set, .win .dsk

In addition to deleting the backups, the .honor files virus may also perform other unwanted activities, such as launch it’s encryption activities, which result in several other files which are then generated, like the AES keys and the unique identifier.

.honor Files Virus – Encryption Process

When this ransomware virus has been detected by malware researchers, it was reported to use the AES encryption algorithm, but in what mode and strenght, it is so far unclear. The cyper generates a unqiue assymetric decryption key, which is saved alongside a secret key which is most likely RSA encrypted and also a unique identifier. This information is likely to be sent to the cyber-crooks and it is summed up in four different types of files, named:

  • data recive
  • Secret.txt
  • secretAES.txt
  • sendBack.txt

The .honor files virus targets specific types of files for it’s encryption process, such as documents, audio and video files, pictures, archives and other types of files. The virus may target files with the following file extensions:


After the encryption is complete, the files are completely renamed with symbols, letters and numbers and have the .honor extension added as their suffix. They may appear like the image below displays:

Remove Honor Ransomware and Restore .honor Files

In order to fully remove this ransomware infection from your computer, recommendations are to focus on follow the removal instructions underneath this article. They have been created so that you can remove Honor ransomware either manually or automatically. If you lack the experience in malware removal, we strongly suggest that you focus on removing this infection automatically by downloading an advanced anti-malware software, as experts suggest. Such software will help you to automatically remove all malware, including .honor ransomware and ensure that your computer is protected against future infections as well.

If you want to restore files that have been encrypted by this ransomware virus, we would suggest that you focus on following the alternative methods for file recovery down below in step “2. Restore files encrypted by .honor Virus”. They have been created with no guarantee that you will be able to recover all of your encrypted files, but with their aid, you might be able to recover some of your data at least.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share