Remove HadesLocker Virus and Restore ~HL Files - How to, Technology and PC Security Forum |

Remove HadesLocker Virus and Restore ~HL Files


HadesLocker is the name of a recently found ransomware cryptovirus which gives you a week to pay one Bitcoin. If you do not meet this criterion the price for decryption will be two Bitcoins. The malware researcher Michael Gillespie reported about this ransomware. The extension put to encrypted files is “~HL” and a random symbol after it. The ransom note which shows after encryption is inside a file called “README_RECOVER_FILES_[ID].txt”. To see how to remove this cryptovirus and how you can try to restore your data, read the article carefully to its end.

UPDATE! With the help of a ProofPoint security researcher it has been found that this cryptovirus is a variant of the WildFire Locker ransomware.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and demand a ransom.
SymptomsThe ransomware will ask for 1 Bitcoin as payment for decryption. It will lock files with the .~HL extension with a random symbol after it (for example .~HL5)
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by HadesLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss HadesLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

HadesLocker Virus – Distribution Tactics

The HadesLocker ransomware could infect computers via different distribution tactics. One of them is probably spam e-mails that are spreading the payload file of this virus. These types of e-mails are engineered in such a way to try and trick unsuspecting users that the message contents are of huge importance or they are too long to be conveyed in the body of the letter. That is why they urge for a file attachment to be opened as a result. The fact is that if you fall for those lies and open the attached file, your computer will be infected with the malware that was waiting in the file, and in this case – the payload for the ransomware.

It gets harder for people to differentiate a fake e-mail from a legitimate one when the attached file looks like a document and all names will be normal and not look suspicious.

The other method, which is similar to the previously mentioned one, is to use social media and other services. On file-sharing websites and social media networks, the same payload file could be uploaded and hidden in an archive file. The archive will prevent most embedded antivirus software from detecting it on such websites. Do not open files and links with an unknown origin. Scan files beforehand with a security program and check their signatures and size. You should read some ransomware prevention tips in our forum thread.

HadesLocker Virus – Technical Analysis

The HadesLocker cryptovirus has been seen and reported by the malware researcher Michael Gillespie. A PrrofPoint researcher had discovered a malware sample, from which it was deducted that this virus is a variant of the WildFire Locker ransomware. When the virus drops its payload file, it also puts the following files in your system:

  • %UserProfile%\AppData\Local\Temp\RarSFX0\
  • %UserProfile%\AppData\Local\Temp\RarSFX0\Ronms.exe
  • %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ronms.lnk
  • %UserProfile%\AppData\Roaming\wow6232node\
  • %UserProfile%\AppData\Roaming\wow6232node\Bamvenagxe.xml
  • %UserProfile%\AppData\Roaming\wow6232node\Ronms.exe

Afterward, it makes entries in the Windows Registry to remain persistent. Those entries are set in a way to make HadesLocker launch automatically with each boot of the Windows operating system. Here are those entries:

→HKCU\Software\Wow6232Node\hwid [Your ID number]

→HKCU\Software\Wow6232Node\status 1

The virus will encrypt your files and load a document with instructions for payment. This note is inside 3 identical files called README_RECOVER_FILES_ with the formats .txt, .png .html and some hexadecimal symbols appended after the name, which varies from victim to victim.

A screenshot of the README_RECOVER_FILES_ file is shown below:


The instructions inside the file read the following:


All your documents, photos, databases and other important files have been encrypted!

In order to decrypt your files you will have to buy the decryption password belonging to your files

There are 2 options to solve this problem
1. Format your hard disk and loose all your files for ever!
2. Pay to buy your decryption key. With this decryption key you
can decrypt your files and use them again like before.

To buy the decryption password you will have to visit our website. Pick a website below

If these websites dont work you can visit our website on the TOR network follow the steps below to visit our TOR website.
1. Download and install the TOR browser:
2. After installation run the TOR browser and wait for initialization
3. Inside the TOR browser (just like a normal browser) navigate to n7457xrhg5kibr2c.onion/

HWID (personal identification ID):

!! you have until Wednesday 12 october 2016 to buy the decryption key or the price will double !!

If you follow the instructions and visit the http://n7457xrhg5kibr2c.onion/entry.php web address you will be shown the following page:


You will be asked for your specific ID number to enter the site. After you do that, you will finally be given more information about the ransom demands:


From there you can see that the HadesLocker ransomware wants you to pay one Bitcoin for decrypting your files within a seven day time-frame. If you do not take any action the price doubles. You will be asked to send the payment to a direct Bitcoin address generated at the bottom of that online page. We see that the TOR network is used for this page to be displayed as many other ransomware viruses do. That makes it next to impossible to find the location of the cyber crooks. Do NOT think of paying the cybercriminals as nobody can guarantee that you will get your files back. The money will be used to fund this criminal act as well as other ones.

Here is the list with file types, which the HadesLocker ransomware searches to encrypt:


Extensions List Source: BleepingComputer

The encrypted files will have the extension .~HL appended to them and a symbol right after it. Files found in the following paths and folders will not get encrypted:

  • Windows
  • Program files
  • Program files (x86)
  • System volume information
  • $recycle.bin

The HadesLocker ransomware will execute this command to prevent people from recovering files with their Shadow Volume Copies of the Windows operating system:

→WMIC.exe shadowcopy delete /nointeractive

Continue to read and see how you can remove the virus and try to restore your files.

Remove HadesLocker Virus and Restore .~HL Files

If your computer got infected with the HadesLocker ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by HadesLocker.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share