Ransomware : Horon (Recovering Encrypted Files)
Last week, a friend of a friend was real unlucky together with got infected amongst Ransomware "HORON", all his files was encrypted or held ransom. He conduct maintain asked his friend to aid but he only managed to clear the virus but non recovering his files, he also tried sending it to the nearest estimator store for aid but they also can't aid further.
Lastly he seeks aid from his friend together with this friend so happens to knows me, good at get-go they did non told me it was ransomware, he told unopen to sort of virus only. So I was similar why at that topographic point are no anti-virus installed inward the get-go house ?
It seems that he's non real familiar on the damage of computer, all he knows is using it.... Duh!...
After unopen to studies together with checking on the ransomware, it was infected amongst "HORON" which it encrypts all the files such every bit Word, Excel, PDF, JPG, BMP etc. It volition teach out behind a text file demanding for ransom "_readme.txt" inward each of the infected folders.
So I did unopen to searching together with studies on the cyberspace together with this ransomware is kinda one-time together with was a known infections, luckily individual took the efforts to developed a tool to decrypt it ... bravo guys !!!
NOTE : I produce non conduct maintain credits on this, every bit the tools was non created yesteryear me, I exactly summarized the steps on recovering the files together with removing the ransomware entirely.
1. On the infected computer, kick Windows into "Safe Mode". This tin endure done inward ii ways :
a) Boot the estimator normally, so search for "msconfig", goto "Boot" tab together with enabled "Safe boot" choice amongst "Minimal" setting. Save together with restart the computer.
b) During the POST shroud (before the Windows loading screen), press [F8] primal repeatedly to invoke the kick selection. Select "Start Windows inward Safe Mode" choice (the words may non endure exact depending on which Windows you lot are running on).
2. Once boot-up, opened upwards Control Panel --> Folder Options. Under "View" tab, enabled "Show hidden files, folders together with drive" option.
3. Now browse to --> C:\Windows\System32\drivers\etc folder together with await for a file named "hosts", edit the file using "Notepad". Ensure at that topographic point are no DNS entry inward the file, if it be exactly delete all entries together with salve the file.
Example of an empty "hosts" file should await similar :
4. Next is to ensure at that topographic point are non plan started automatically, goto --> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder, delete all applications inward the folder exactly to endure sure.
5. Next is to ensure at that topographic point are no entry inward the registry, opened upwards "regedit" together with browse to the next entry :
a) HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run --> Remove all entries exactly to endure certain or if you lot know that is the drivers loading so teach out every bit those entries every bit is, only take entries that are suspicious or inward doubt.
b) HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run --> Do the same every bit above.
c) Then search for "%temp%" folder, take all entries also.
6. Once done, you lot tin opened upwards dorsum "msconfig" together with disabled the "Safe Boot" choice or if you lot press [F8] key so exactly merely restart the estimator normally.
7. On a good/clean computer, download the next tools from the link below (note that unopen to anti-virus may written report these tools every bit virus together with may blocked it from downloading, so you lot demand to temporarily disabled your anti-virus plan earlier doing so).
a) Download FileLocater Lite (aka AgentRansack), link here. This is an exe file, download together with installed it on the infected computer.
b) Download the "STOPDecrypter" latest version here. This is a nada file, download together with extract on the infected computer.
8. Once both the tools is copied/installed on the infected computer, run the "STOPDecrypter" tool (run every bit admin), select "Yes" when prompted to continue.
9. Next is to select the infected folder yesteryear clicking on "Select Directory" button, banknote that the tool also plant amongst sub-folders, so only select the root folder. But beware that selecting the entire root folder volition results boring reply of the computer.
Once the folder is selected, click on the "Decrypt" push to start the process, this may conduct maintain unopen to times depending on the file sizes together with quantity of the files. Some file types takes longer to decrypt such every bit .MP4 or video files.
As such it is of import to decrypt only information files together with non programs similar .apk or .dbf or similar.
10. As the procedure only decrypt the files, the existing *.HORON files are even so intact, so if the decrypt is successful, you lot demand to manually delete those files to avoid your HDD infinite running out. Use the "FileLocator Lite" tool to produce this at to a greater extent than slowly together with convenient way.
a) Click --> "Folder" icon (next to "Look in" field).
b) Type --> *.horon (in "File name" field).
c) Click --> Start button.
Example screenshot of the tool below :
Once the search completed, merely select all the files together with press the [DELETE] key, adjacent is to empty the "Recycle Bin" when you lot confirmed all information files is decrypted successfully.
NOTE : Be careful when doing this step, if you lot wrongly select the folder you lot may accidentally delete files that are yet to endure decrypted.
11. Once all the files conduct maintain been decrypted, you lot may desire to transfer (Copy & Paste) to an external HDD or flash drive. Then you lot may desire to reformat & reinstall the computer, exactly to endure certain but this steps is of class optional but highly recommended.
Hope this volition aid others together with produce yourself a favour together with install at to the lowest degree unopen to sort of anti-virus similar Microsoft Defender or better.
!!! HAPPY COMPUTING !!!
Lastly he seeks aid from his friend together with this friend so happens to knows me, good at get-go they did non told me it was ransomware, he told unopen to sort of virus only. So I was similar why at that topographic point are no anti-virus installed inward the get-go house ?
It seems that he's non real familiar on the damage of computer, all he knows is using it.... Duh!...
After unopen to studies together with checking on the ransomware, it was infected amongst "HORON" which it encrypts all the files such every bit Word, Excel, PDF, JPG, BMP etc. It volition teach out behind a text file demanding for ransom "_readme.txt" inward each of the infected folders.
So I did unopen to searching together with studies on the cyberspace together with this ransomware is kinda one-time together with was a known infections, luckily individual took the efforts to developed a tool to decrypt it ... bravo guys !!!
NOTE : I produce non conduct maintain credits on this, every bit the tools was non created yesteryear me, I exactly summarized the steps on recovering the files together with removing the ransomware entirely.
1. On the infected computer, kick Windows into "Safe Mode". This tin endure done inward ii ways :
a) Boot the estimator normally, so search for "msconfig", goto "Boot" tab together with enabled "Safe boot" choice amongst "Minimal" setting. Save together with restart the computer.
b) During the POST shroud (before the Windows loading screen), press [F8] primal repeatedly to invoke the kick selection. Select "Start Windows inward Safe Mode" choice (the words may non endure exact depending on which Windows you lot are running on).
2. Once boot-up, opened upwards Control Panel --> Folder Options. Under "View" tab, enabled "Show hidden files, folders together with drive" option.
3. Now browse to --> C:\Windows\System32\drivers\etc folder together with await for a file named "hosts", edit the file using "Notepad". Ensure at that topographic point are no DNS entry inward the file, if it be exactly delete all entries together with salve the file.
Example of an empty "hosts" file should await similar :
4. Next is to ensure at that topographic point are non plan started automatically, goto --> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder, delete all applications inward the folder exactly to endure sure.
5. Next is to ensure at that topographic point are no entry inward the registry, opened upwards "regedit" together with browse to the next entry :
a) HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run --> Remove all entries exactly to endure certain or if you lot know that is the drivers loading so teach out every bit those entries every bit is, only take entries that are suspicious or inward doubt.
b) HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run --> Do the same every bit above.
c) Then search for "%temp%" folder, take all entries also.
6. Once done, you lot tin opened upwards dorsum "msconfig" together with disabled the "Safe Boot" choice or if you lot press [F8] key so exactly merely restart the estimator normally.
7. On a good/clean computer, download the next tools from the link below (note that unopen to anti-virus may written report these tools every bit virus together with may blocked it from downloading, so you lot demand to temporarily disabled your anti-virus plan earlier doing so).
a) Download FileLocater Lite (aka AgentRansack), link here. This is an exe file, download together with installed it on the infected computer.
b) Download the "STOPDecrypter" latest version here. This is a nada file, download together with extract on the infected computer.
8. Once both the tools is copied/installed on the infected computer, run the "STOPDecrypter" tool (run every bit admin), select "Yes" when prompted to continue.
9. Next is to select the infected folder yesteryear clicking on "Select Directory" button, banknote that the tool also plant amongst sub-folders, so only select the root folder. But beware that selecting the entire root folder volition results boring reply of the computer.
Once the folder is selected, click on the "Decrypt" push to start the process, this may conduct maintain unopen to times depending on the file sizes together with quantity of the files. Some file types takes longer to decrypt such every bit .MP4 or video files.
As such it is of import to decrypt only information files together with non programs similar .apk or .dbf or similar.
10. As the procedure only decrypt the files, the existing *.HORON files are even so intact, so if the decrypt is successful, you lot demand to manually delete those files to avoid your HDD infinite running out. Use the "FileLocator Lite" tool to produce this at to a greater extent than slowly together with convenient way.
a) Click --> "Folder" icon (next to "Look in" field).
b) Type --> *.horon (in "File name" field).
c) Click --> Start button.
Example screenshot of the tool below :
Once the search completed, merely select all the files together with press the [DELETE] key, adjacent is to empty the "Recycle Bin" when you lot confirmed all information files is decrypted successfully.
NOTE : Be careful when doing this step, if you lot wrongly select the folder you lot may accidentally delete files that are yet to endure decrypted.
11. Once all the files conduct maintain been decrypted, you lot may desire to transfer (Copy & Paste) to an external HDD or flash drive. Then you lot may desire to reformat & reinstall the computer, exactly to endure certain but this steps is of class optional but highly recommended.
Hope this volition aid others together with produce yourself a favour together with install at to the lowest degree unopen to sort of anti-virus similar Microsoft Defender or better.
!!! HAPPY COMPUTING !!!
0 Response to "Ransomware : Horon (Recovering Encrypted Files)"
Post a Comment