A ransomware infection dubbed HappyLocker has been spotted in the wild. The code of the threat is based on the samples of hidden-tear, an open source code. The ransomware uses the extension .happy upon encryption. It demands a ransom of 0.1 BTC. The news about this new threat has first been reported by Jack, a Security Research Analyst.
The article provides the most important information about HappyLocker ransomware features. If you are a victim of the threat, keep reading to the very end of the article where we provide a removal guide and decryption tips.
Name |
HappyLocker Ransomware |
File Extensions |
.happy |
Ransom |
0.1 BTC |
Solution #1 |
Use an advanced anti-malware tool to remove HappyLocker ransomware. |
Solution #2 |
HappyLocker Ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below. |
Distribution |
Fake Bitcoin faucets, spam email campaigns, exploit kits and malicious URLs. |
Features of The Threat
The HappyLocker ransomware is based on the code of HidenTear ransomware family. Hidden Tear ransomware samples were created for educational purposes, however it does not take a long until the first malicious ransomware variants based on its source code have appeared. Other ransomware variants based on the source code that is published online are MasterBuster, CerberTear, Pokemon Go .exe and HollyCrypt.
HappyLocker cryptovirus may hide its payloads in some major Windows folders like:
- %AppData%
- %Roaming%
- %Temp%
- %User’s Profile%
- %System32%
The malicious files of HappyLocker ransomware might replace or modify critical system files. Furthermore, some Windows Registry keys are probably changed by the ransomware. Such modifications are usually performed with the purpose of automatic start of the malicious HappyLocker’s files whenever the OS is launched.
The core of Happy Locker ransomware is the encryption function. Upon establishing and running its malicious files on the computer, it performs a scan of all drives. HappyLocker ransomware targets particular file types that it encrypts with strong (AES) encoding encipher. The target list may include images, documents, audio and video files, databases and other commonly used file types. At the end of the encryption, it appends the suffix .happy to the file name as an indicator that the file is encrypted.
After the encryption process, the ransomware drops two files on the victim’s desktop. A text document named “READDDDDDD.txt” and an image – “READ.jpg”. Both files prompt victims to enter the “Happy Decryptor Page” website. The page presents special Happy Decryptor software which allows victims to decrypt and return control to all encrypted files. The HappyLocker payment service resembles the one used by Locky ransomware creators.
Victims are asked to send 0.1 BTC to cyber criminals’ Bitcoin address. However, most of the ransomware viruses based on Hidden Tear source code are successfully decrypted. So after the removal of the threat, all victims of HappyLocker may try to restore the data using the Hidden Tear decryptor. Even if this approach doesn’t restore the data our advise is not to fund the malicious actions of the attackers and patiently wait until a decryption solution is developed.
The image file “READ.jpg” might be displayed automatically on the desktop. It depicts a text that reads as follow:
“IMPORTANT INFORMATION!!!!
All your files are encrypted with HAPPY Ciphers
To Decrypt:
– Open This Page : http://ysasite.com/happy
– Follow All Steps “
HappyLocker Ransomware Distribution
As announced HappyLocker ransomware might land on the system through fake Bitcoin faucet. Bitcoin faucets are reward systems in the form of websites or apps. By completing a captcha or task as described by the website/the app users are given away satoshi prizes. Actually, a Bitcoin faucet bot called “InstantSatoshi BOT” is reported to drop the malicious payloads of HappyLocker ransomware virus on the computer.
It might also be hidden in an email attachment that contains the malicious files in it. Another distribution way may be a link included in the body of the message or hidden in an ad. The link may land on a compromised website where a drive-by download of the malicious files may happen.
HappyLock Ransomware Removal
If you are a victim of HappyLocker ransomware, the very first step you should take is removal of all malicious files from the computer. As it could be a massive task, we recommend you to use the help of an anti-malware tool for the best results. Besides removing HappyLocker ransomware, it will keep you away from other malware in future.
As regarding the decryption, we could advise you to create backup copies of the encrypted data. Keep them and try to recover some files with the help of HiddenTear Decryptor. The backup step is of paramount importance as if something goes wrong during the decryption attempts the data may become completely damaged and irrecoverable.
HappyLocker Ransomware Removal
STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.
-
1) Hit WIN Key + R
- 2) A Run window will appear. In it, write “msconfig” and then press Enter
3) A Configuration box shall appear. In it Choose the tab named “Boot”
4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
5) Apply -> OK
Or check our video guide – “How to start PC in Safe Mode with Networking”
STEP II: Show Hidden Files
-
1) Open My Computer/This PC
2) Windows 7
-
– Click on “Organize” button
– Select “Folder and search options”
– Select the “View” tab
– Go under “Hidden files and folders” and mark “Show hidden files and folders” option
3) Windows 8/ 10
-
– Open “View” tab
– Mark “Hidden items” option
4) Click “Apply” and then “OK” button
STEP III: Enter Windows Task Manager and Stop Malicious Processes
-
1) Hit the following key combination: CTRL+SHIFT+ESC
2) Get over to “Processes”
3) When you find suspicious process right click on it and select “Open File Location”
4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process”
5) Next you should go folder where the malicious file is located and delete it
STEP IV: Remove Completely HappyLocker Ransomware Using SpyHunter Anti-Malware Tool
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
STEP V: Repair Windows Registry
-
1) Again type simultaneously the Windows Button + R key combination
2) In the box, write “regedit”(without the inverted commas) and hit Enter
3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Further help for Windows Registry repair
STEP VI: Recover Encrypted Files
-
1) Use present backups
2) Restore your personal files using File History
-
– Hit WIN Key
– Type “restore your files” in the search box
– Select “Restore your files with File History”
– Choose a folder or type the name of the file in the search bar
- – Hit the “Restore” button
3) Using System Restore Point
-
– Hit WIN Key
– Select “Open System Restore” and follow the steps
STEP VII: Preventive Security Measures
-
1) Enable and properly configure your Firewall.
2) Install and maintain reliable anti-malware software.
3) Secure your web browser.
4) Check regularly for available software updates and apply them.
5) Disable macros in Office documents.
6) Use strong passwords.
7) Don’t open attachments or click on links unless you’re certain they’re safe.
8) Backup regularly your data.