FANDOM


Ransom.HadesLocker is a Trojan horse that encrypts files on the compromised computer and asks the user to pay in order to decrypt them. 

Payloads

When the Trojan is executed, it creates the following files in all folders:

  • [PATH OF ENCRYPTED FILES]\README_RECOVER_FILES_DF635A8069D44D81.html
  • [PATH OF ENCRYPTED FILES]\README_RECOVER_FILES_DF635A8069D44D81.png
  • [PATH OF ENCRYPTED FILES]\README_RECOVER_FILES_DF635A8069D44D81.txt

Next, the Trojan encrypts files with the following extensions on the compromised computer:

  • .ai
  • .al
  • .asm
  • .asp
  • .bak
  • .bay
  • .c
  • .cer
  • .CPI
  • .cpp
  • .crt
  • .cs
  • .csv
  • .db
  • .doc
  • .dot
  • .dtd
  • .eps
  • .h
  • .hbk
  • .htm
  • .html
  • .java
  • .jpg
  • .key
  • .lua
  • .m
  • .msg
  • .OBJ
  • .pas
  • .pdb
  • .pdf
  • .pem
  • .php
  • .pl
  • .png
  • .ppt
  • .ps
  • .py
  • .rar
  • .rtf
  • .sql
  • .sqlite
  • .STC
  • .STD
  • .stx
  • .tex
  • .txt
  • .wav
  • .wb2
  • .wpd
  • .xls
  • .xml
  • .zip

The Trojan then appends the following string to the encrypted file names:

  • ~HLKI56J

Next, the Trojan displays a ransom note on the compromised computer, warning users that their files have been encrypted and providing instructions on how they may pay to have their files decrypted. 

Community content is available under CC-BY-SA unless otherwise noted.