Remove YouGotHacked Ransomware and Restore .h3ll Encrypted Files - How to, Technology and PC Security Forum |

Remove YouGotHacked Ransomware and Restore .h3ll Encrypted Files

shutterstock_271501652The .h3ll extension – this may just be the first thing users who have been affected by YouGotHacked ransomware to notice on their files. This dangerous malware encodes the first 64 bit of the user files with a strong cypher. The malware is so sophisticated that it even encodes the decryption key and saves it In a .key file. Users have reported that the malware is not detected by any anti-malware software, after scanning it in VirusTotal. Everyone infected should not pay the ransom money and seek alternative methods to restore the data.

Short DescriptionThe malware may do various unhealthy to the user PC activities. Its primary purpose is to encrypt files and ask for ransom money for its decryption.
SymptomsThe user may witness his files to be unable for opening with the .h3ll file extension added to them.
Distribution MethodUnknown.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by YouGotHacked
User Experience Join our forum to discuss YouGotHacked.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

YouGotHacked Ransomware – Distribution

Unlike other ransomware, YouGotHacked may be distributed in an unusual way. Malware researchers have reported seeing YouGotHacked infect a Windows computer with Google Chrome and an updated antivirus software, and the computer had no previous history of visiting suspicious web links. This is a good indicator that the ransomware may be redistributed via malicious macros in Microsoft Office, PDF documents or obfuscated malicious files embedded in a program downloaded online or administered from a potentially unwanted program(PUP).

YouGotHacked Ransomware – How Does It Work

At first, the ransomware deploys a malicious temporary file in one of the following Windows folders:

  • %Temp%(most probable)
  • %AppData%
  • %Roaming%
  • %Windows%

The malicious temporary file has numeric name, for example:

  • 420.tmp

Since users on security forums report no trace of their encrypted files in the sectors of their hard drives after scanning them with data recovery software, it is believed that YouGotHacked may also execute the vssadmin command with escalated privileges for deleting shadow volume copies and other system backups:

→ vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

After doing so, the ransomware virus may scan different partitions of your drive, for example, “C:” and encrypt all:

  • Documents.
  • Virtual Drives.
  • Images.
  • Audio files.
  • Video files.
  • Torrent files.
  • Other files that are usually most used.

Researchers that have analyzed malicious samples of the malware on Hardware BG Forums have concluded that the ransomware encodes the first 64 kilobytes of the file appending the .h3ll extension to the encrypted files, for example

  • New Text Document.txt.h3ll

The files cannot be opened after encryption and what is worse is that unlike other ransomware, this one encodes a larger portion of the files. Furthermore, the ransomware encodes blocks of 16 bytes and researchers believe that this may be an indicator of an AES encryption algorithm being used.

After encrypting the user’s files, YouGotHacked also drops the following files on the infected PC after which it may self-delete:


The SECRETISHIDINGHEREINSIDE.KEY most likely contains the decryption key, and it is reported to be encoded in 1024 bit base64 type of encryption. Interestingly enough, the ransomware only scans in one drive partition, and it does not spread across networks.

This type of ransomware is either believed to use a strong encryption cypher or a very weak one. This is why users are advised NOT to pay the ransom money and check the file restoration alternatives from the instructions after the article.

Remove YOUGOTHACKED Ransomware and Restore .h3ll Files

To remove this crypto-malware, we strongly recommend following the step-by-step removal instructions below. They will allow you to successfully revert any settings changed by the Ransomware and remove all malicious files. However, if you want to decrypt your data, we strongly recommend following our security forum. We will post there any solution, if available. Meanwhile, you may want to try the alternative file restoration methods below.

1. Boot Your PC In Safe Mode to isolate and remove YouGotHacked
2. Remove YouGotHacked with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by YouGotHacked in the future
4. Restore files encrypted by YouGotHacked
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the YouGotHacked threat: Manual removal of YouGotHacked requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.