This week, security specialists discovered a new ransomware. It is called ‘Hese file virus‘ and used malicious software to infect MS Windows PC systems. It encrypts personal files, adding the .hese file extension to the names of all encrypted files, on all attached data storage a short time after the computer has been infected.
Files encrypted by .hese virus
The Hese virus locks up photos, documents and music using a hybrid encryption mode, that makes it impossible to decrypt the affected files by the user on his own without obtaining a special code key, which is the only way to decrypt locked photos, documents and music. Hese ransomware encrypts almost of database, images, documents, web application-related files, music, videos and archives, including common as:
.mdf, .dng, .upk, .webdoc, .mcmeta, .layout, .ncf, .t13, .wgz, .wb2, .pef, .xx, .wmo, .wav, .wpb, .wpd, .snx, .hkx, .sav, .t12, .lvl, .py, .rw2, .vcf, .mp4, .cfr, .mpqge, .ybk, .zi, .xlsx, .odm, .csv, .xf, .pfx, .tax, .wri, .r3d, .pem, .wbm, .wsd, .zif, .das, .wbmp, .xwp, .iwi, .wps, .x, .srf, .xar, .wdp, .vtf, .wpa, .wmv, .avi, .xlk, .w3x, .indd, .wot, .odc, .odp, .bc7, .xll, .wp4, .mlx, .sie, .zip, .p12, .wbd, .svg, .menu, .odb, .mddata, .jpeg, .wpt, .7z, .txt, .bkf, .xyw, .wp, .itdb, .doc, .wn, .arch00, .ntl, .xdb, .rwl, .pdf, .wbk, .xls, .ff, .cas, .rofl, .rar, .x3f, .ztmp, .wm, .m3u, .xlsm, .ppt, .1, .xbdoc, .icxs, .wpd, .x3d, .p7c, .wbc, .sid, .erf, .xbplate, .bkp, .db0, .dcr, .jpg, .blob, .kf, .rim, .vdf, .bc6, .ws, .xml, .srw, .pptm, .jpe, .wbz, .itm, .bik, .sb, .1st, .wpe, .vfs0, .xlsm, .zip, .mef, .eps, .bar, .esm, .sql, .epk, .mdb, .wmf, .tor, .sr2, .lbf, .dbf, .psd, .kdc, .pkpass, wallet, .gdb, .yml, .syncdb, .flv, .sidn, .sidd, .css, .desc, .bay, .ai, .xld, .wotreplay, .psk, .crt, .wdb, .3dm, .xdl, .itl, .big, .accdb, .fos, .js, .cr2, .wpl, .der, .wp7, .ptx, .crw, .gho, .m2, .pptx, .wp5, .xls, .xlsb, .litemod, .webp, .dwg, .forge, .xlgc, .raw, .dxg, .kdb, .odt, .hplg, .cdr, .zdb, .2bp, .p7b, .dba, .orf
Having finished encryption the ransomware virus creates a ransom demanding message called ‘_readme.txt’. This file contain an information which informs the victims that their personal files are encrypted with complex ciphered combination and demands a ransom payment for bringing the data back to its state at the time of the encryption.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6tYZko8NMj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Hese |
| Type | Filecoder, Crypto malware, Ransomware, Crypto virus, File locker |
| Encrypted files extension | .hese |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Unable to open documents, photos and music. Files are encrypted with a .hese file extension. Your file directories contain a ‘ransom note’ file that is usually a .txt file. |
| Distribution ways | Unsolicited emails that are used to deliver malware. Drive-by downloads from a compromised webpage. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a suspicious link). Cybercriminals use malicious ads to distribute malicious software with no user interaction required. |
| Removal | To remove Hese ransomware use the removal guide |
| Decryption | To decrypt Hese ransomware use the steps |
In the tutorial below, I have outlined few methods that you can use to remove Hese ransomware virus from your system and restore .hese files from a shadow volume copies or using file recover applications.
Quick links
- How to remove Hese ransomware virus
- Decrypt .hese files with STOPDecrypter
- How to restore .hese files
- How to protect your computer from Hese crypto virus?
How to remove Hese ransomware virus
The following instructions will allow you to remove Hese ransomware virus and other malicious software. Before doing it, you need to know that starting to delete the crypto virus, you may block the ability to decrypt personal files by paying authors of the ransomware virus requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily remove it from your personal computer, but they can not restore encrypted photos, documents and music.
Remove Hese ransomware virus with Zemana
Zemana AntiMalware is a malware scanner that is very effective for detecting and uninstalling Hese ransomware. The steps below will explain how to download, install, and use Zemana Anti-Malware to scan your PC system and remove crypto malware, spyware, malicious software, adware, trojans, worms for free.
Installing the Zemana Free is simple. First you’ll need to download Zemana Anti-Malware on your Windows Desktop by clicking on the following link.
164977 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is finished, run it and follow the prompts. Once installed, the Zemana will try to update itself and when this task is done, press the “Scan” button to perform a system scan with this tool for the Hese ransomware, other kinds of potential threats such as malicious software and trojans.
Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Free will uninstall Hese ransomware virus and other security threats and move items to the program’s quarantine.
Run MalwareBytes Anti-Malware (MBAM) to remove Hese virus
Get rid of Hese ransomware virus manually is difficult and often the ransomware is not completely removed. Therefore, we advise you to use the MalwareBytes Free which are fully clean your computer. Moreover, this free program will help you to remove malware, potentially unwanted programs, toolbars and adware software that your system may be infected too.
Please go to the following link to download MalwareBytes Free. Save it on your Windows desktop or in any other place.
327220 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is done, close all windows on your PC system. Further, start the file called mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” which will allow you install MalwareBytes on the PC. Follow the prompts and don’t make any changes to default settings.
Once installation is done successfully, press Finish button. Then MalwareBytes Free will automatically launch and you can see its main window as shown below.
Next, press the “Scan Now” button to look for Hese ransomware virus, other malicious software, worms and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your computer. When a malware, adware or PUPs are detected, the number of the security threats will change accordingly. Wait until the the scanning is done.
Once that process is done, the results are displayed in the scan report. You may delete items (move to Quarantine) by simply press “Quarantine Selected” button.
The MalwareBytes will delete Hese ransomware virus and other security threats. Once the cleaning process is complete, you can be prompted to restart your machine. We suggest you look at the following video, which completely explains the process of using the MalwareBytes Anti Malware to uninstall hijackers, adware and other malware.
Remove Hese crypto virus with KVRT
KVRT is a free removal tool which can scan your PC system for a wide range of security threats like the Hese ransomware virus, adware, potentially unwanted programs as well as other malware. It will perform a deep scan of your machine including hard drives and MS Windows registry. After a malicious software is detected, it will allow you to delete all detected threats from your computer by a simple click.
Download Kaspersky virus removal tool (KVRT) on your PC by clicking on the following link.
129278 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . KVRT utility will start scanning the whole personal computer to find out Hese ransomware and other known infections. When a threat is found, the count of the security threats will change accordingly.
Once the scan get finished, Kaspersky virus removal tool will display a list of all threats detected by the scan like the one below.
When you are ready, click on Continue to start a cleaning process.
Decrypt .hese files with STOPDecrypter
With some variants of Hese file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Hese decryption tool called STOPDecrypter. It can decrypt .hese files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Hese decryption tool
STOPDecrypter is a program that can be used for Hese files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .hese files using this free tool.
- STOP Decrypter can be downloaded from the following link. Save it directly to your Windows Desktop.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - When the download is done, close all software and windows on your PC. Open a file location.
- Right-click on the icon that’s named STOPDecrypter.zip. Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is complete, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .hese files, in some cases, you have a chance to recover your photos, documents and music, which were encrypted by ransomware virus. This is possible due to the use of the tools called ShadowExplorer and PhotoRec. An example of recovering encrypted photos, documents and music is given below.
How to restore .hese files
In some cases, you can restore files encrypted by Hese crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Recover .hese files with ShadowExplorer
In some cases, you have a chance to recover your personal files that were encrypted by the Hese ransomware virus. This is possible due to the use of the tool called ShadowExplorer. It is a free program which designed to obtain ‘shadow copies’ of files.
ShadowExplorer can be downloaded from the following link. Save it on your Desktop.
439619 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export such as the one below.
Recover .hese files with PhotoRec
Before a file is encrypted, the Hese ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore programs like PhotoRec.
Download PhotoRec on your machine from the link below.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen similar to the one below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music like below.
Click File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Hese crypto virus?
Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your machine from Hese ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from MS Windows XP to Windows 10.
HitmanPro.Alert can be downloaded from the following link. Save it directly to your Windows Desktop.
After downloading is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as displayed in the following example.
Now click the Install button to activate the protection.
Finish words
Once you’ve complete the few simple steps outlined above, your PC should be clean from Hese crypto virus and other malicious software. Your personal computer will no longer encrypt your documents, photos and music. Unfortunately, if the instructions does not help you, then you have caught a new ransomware, and then the best way – ask for help here.
Dear Please help me i have collect in all data in external Hard disk.
how to remove .hses file extension virus
In order to detect and remove Hese file extention virus, please use the malware removal tools listed above.
Dear how restore my project file in folder and subfolder in my drive
use PhotoRec.
PhotoRec does not allow you to recover files from a specific directory. This utility recovers all deleted files from the hard drive. “Deleted files” is all files that were deleted before the computer was infected, including files that the operating system deleted during its operation and files that the virus deleted during file encryption.
The only way to recover specific files is to select the type of these files at the “select file types to restore” step (“Click File Formats button and select file types to restore”).