Remove Hese Virus (.hese File) - Ransomware Instructions

Remove Hese Virus (.hese File) – Ransomware Instructions

Update September 2019.
What is Hese virus? This article presents a step-by-step guide on how to remove Hese ransomware virus and how to attempt to recover .hese encrypted files.

Hese virus is a ransomware infection that is based on the code of the infamous STOP ransomware. When started on your computer Hese disrupts system security and encodes personal files. Encrypted files could be recognized by the extension .hese appended by the ransomware. At the end of the attack, Hese virus creates a ransom message that urges you to pay a ransom for the .hese files decryption. This message could be found in the _readnme.txt file which is typically placed on the desktop.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionA version of the STOP/DJVU ransomware that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims.
SymptomsImportant files are encrypted and renamed with the extension .hese
A ransom message forces victims to contact hackers in order to receive instructions on how to pay a ransom.
Distribution MethodSpam Emails; Email Attachments; Corrupted Websites; Software Installers
Detection Tool See If Your System Has Been Affected by Hese


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Hese.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Hese Virus (STOP Ransomware) – Update September 2019

As reported by Michael Gillespie, the operators of STOP ransomware have altered its code in newer versions. These changes make the way the researcher decrypted files impossible, starting with .coharos, .gero, and .hese. Apparently, the cybercriminals started to utilize proper asymmetrical encryption, meaning the offline keys will no longer be valid for decryption after this release of the final keys Gillespie extracted.

The researcher is now working towards closing this decrypter, and continuing work on a new decrypter that will work only for the old versions of STOP (up to .carote), but with some caution. The new decrypter will completely replace STOPDecrypter once it’s released, and will work in a different way, the researcher said.

The first version of STOPDecrypter is designed to support specific offline IDs, so it may not be effective for all occasions of the various iterations of the ransomware.

Hese Virus (STOP Ransomware) – More About the Infection

Security researchers reported that the Hese virus is based on the code of one of the most popular ransomware families dubbed

STOP. The spread of Hese ransomware is happening with the help of spam emails, email attachments, hacked web pages, and corrupted freeware installers.

Since malspam (emails that deliver malicious code) enables hackers to spread their ransomware on a large scale, they usually rely on it for their distribution campaigns. Attackers usually embed the malicious code in files of well-known types and then attach these files to email messages. The emails usually state that the attached files are:

  • Invoices coming from reputable sites, like PayPal, eBay, etc.
  • Documents from that appear to be sent from your bank.
  • An online order confirmation note.
  • Receipt for a purchase.
  • Others.

Once activated on your system Hese virus creates a bunch of malicious files and places them in folders like %AppData% and %LocalAppData%. With the help of newly created malicious files the ransomware corrupts essential system settings and becomes able to encrypt target files.

For the encryption of target files Hese virus launches a built-in cipher module that is designed to scan selected folders for predefined types of files. Every time the module detects a target file, it utilizes a sophisticated cipher algorithm to transform its code. Unfortunately, the threat is likely to corrupt all files which store valuable information. Hence, encrypted may be:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

Following encryption files cannot be opened. In addition, they have the extension .hese at the end of their names. In fact, the main goal of this ransomware is to blackmail you into paying a ransom to hackers. That’s why Hese drops a ransom message with instructions on how to complete the ransom payment process.

You should NOT under any circumstances pay any ransom sum to cybercriminals. This action does not guarantee the recovery of your .hese files.

How to Remove Hese Virus

The so-called Hese virus is a threat with a highly complex code that disrupts system security in order to encrypt personal files. Hence the infected system could be used in a secure manner again only after the complete removal of all malicious files and objects created by Hese ransomware. That’s why it is recommendable that all steps presented in the Hese virus removal guide below are completed. Beware that the manual ransomware removal is suitable for more experienced computer users. If you don’t feel comfortable with the manual steps navigate to the automatic part of the guide.

How to Recover .hese Files

There are several alternative methods that may be efficient for the recovery of .hese files. You could find them listed under Step 5 from our Hese ransomware removal guide. Beware that you should make copies of all encrypted files and save them on a flash drive for example. This additional step will prevent the permanent loss of encrypted .hese files.

Ransomware Removal Instructions


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share