Last week, a friend of a friend was very unlucky and got infected with Ransomware "HORON", all his files was encrypted or held ransom. He have asked his friend to assist but he only managed to clear the virus but not recovering his files, he also tried sending it to the nearest computer shop for help but they also can't assist further.
Lastly he seeks help from his friend and this friend so happens to knows me, well at first they did not told me it was ransomware, he told some kind of virus only. So I was like why there are no anti-virus installed in the first place ?
It seems that he's not very familiar on the terms of computer, all he knows is using it.... Duh!...
After some studies and checking on the ransomware, it was infected with "HORON" which it encrypts all the files such as Word, Excel, PDF, JPG, BMP etc. It will leave behind a text file demanding for ransom "_readme.txt" in each of the infected folders.
So I did some searching and studies on the internet and this ransomware is kinda old and was a known infections, luckily someone took the efforts to developed a tool to decrypt it ... bravo guys !!!
NOTE : I do not take credits on this, as the tools was not created by me, I just summarized the steps on recovering the files and removing the ransomware entirely.
1. On the infected computer, boot Windows into "Safe Mode". This can be done in 2 ways :
a) Boot the computer normally, then search for "msconfig", goto "Boot" tab and enabled "Safe boot" option with "Minimal" setting. Save and restart the computer.
b) During the POST screen (before the Windows loading screen), press [F8] key repeatedly to invoke the boot selection. Select "Start Windows in Safe Mode" option (the words may not be exact depending on which Windows you are running on).
2. Once boot-up, open Control Panel --> Folder Options. Under "View" tab, enabled "Show hidden files, folders and drive" option.
3. Now browse to --> C:\Windows\System32\drivers\etc folder and look for a file named "hosts", edit the file using "Notepad". Ensure there are no DNS entry in the file, if it exist just delete all entries and save the file.
Example of an empty "hosts" file should look like :
4. Next is to ensure there are not program started automatically, goto --> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder, delete all applications in the folder just to be sure.
5. Next is to ensure there are no entry in the registry, open "regedit" and browse to the following entry :
a) HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run --> Remove all entries just to be sure or if you know that is the drivers loading then leave as those entries as is, only remove entries that are suspicious or in doubt.
b) HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run --> Do the same as above.
c) Then search for "%temp%" folder, remove all entries also.
6. Once done, you can open back "msconfig" and disabled the "Safe Boot" option or if you press [F8] key then just simply restart the computer normally.
7. On a good/clean computer, download the following tools from the link below (note that some anti-virus may report these tools as virus and may blocked it from downloading, thus you need to temporarily disabled your anti-virus program before doing so).
a) Download FileLocater Lite (aka AgentRansack), link here. This is an exe file, download and installed it on the infected computer.
b) Download the "STOPDecrypter" latest version here. This is a zip file, download and extract on the infected computer.
8. Once both the tools is copied/installed on the infected computer, run the "STOPDecrypter" tool (run as admin), select "Yes" when prompted to continue.
9. Next is to select the infected folder by clicking on "Select Directory" button, note that the tool also works with sub-folders, thus only select the root folder. But beware that selecting the entire root folder will results slow response of the computer.
Once the folder is selected, click on the "Decrypt" button to start the process, this may take some times depending on the file sizes and quantity of the files. Some file types takes longer to decrypt such as .MP4 or video files.
As such it is important to decrypt only data files and not programs like .apk or .dbf or similar.
10. As the process only decrypt the files, the existing *.HORON files are still intact, thus if the decrypt is successful, you need to manually delete those files to avoid your HDD space running out. Use the "FileLocator Lite" tool to do this at more easy and convenient way.
a) Click --> "Folder" icon (next to "Look in" field).
b) Type --> *.horon (in "File name" field).
c) Click --> Start button.
Example screenshot of the tool below :
Once the search completed, simply select all the files and press the [DELETE] key, next is to empty the "Recycle Bin" when you confirmed all data files is decrypted successfully.
NOTE : Be careful when doing this step, if you wrongly select the folder you may accidentally delete files that are yet to be decrypted.
11. Once all the files have been decrypted, you may want to transfer (Copy & Paste) to an external HDD or flash drive. Then you may want to reformat & reinstall the computer, just to be sure but this steps is of course optional but highly recommended.
Hope this will help others and do yourself a favour and install at least some kind of anti-virus like Microsoft Defender or better.
!!! HAPPY COMPUTING !!!
Thank you for sharing those useful Knowledge among us. To learn more about ransomware and protection you can read this post Protect your pc from Ransomware
ReplyDeleteYou can also download avg free software for pc or mobile version from freeseoguide site AVG Antivirus free
Nice blog. Thanks for sharing an informative blog on Ransomware. If someone looking for a ransomware data recovery tool then you should definitely have a look here. Fast Data Recovery has the right tools, state of the art equipment and best industry knowledge for guaranteed ransomware recovery, ransomware removal, and ransomware prevention.
ReplyDelete