Cyber security researchers discovered a new variant of ransomware that called ‘Heroset ransomware‘. It appends the .heroset file extension to encrypted file names. This blog post will provide you a brief summary of information related to this crypto virus and how to restore (decrypt) encrypted personal files for free.
Once installed, the Heroset virus begins looking for attached disks and even networked disks containing database, music, archives, videos, documents, images and web application-related files. The files that will be encrypted include the following file extensions:
.sr2, .psd, .xlsx, .nrw, .x, .lvl, .kf, .zabw, .pdd, .mlx, .odp, .m3u, .pef, .upk, .bsa, .xyp, .d3dbsp, .itdb, .wbm, .orf, .ltx, .mpqge, .epk, .wn, .p12, .hkdb, .xld, .iwi, .rb, .svg, .docx, .wm, .vdf, .pfx, .wp6, .xbplate, .qic, .lrf, .ztmp, .xx, .xdb, .wpg, .sidd, .big, .t12, .wbmp, .wri, .forge, .xbdoc, .xlsb, .pptm, .xlsm, .wpd, .docm, .rar, .zif, .bkf, .hvpl, .asset, .ptx, .0, .7z, .kdc, .xf, .wsc, .mdf, .mrwref, .wav, .indd, .odm, .cer, .ysp, .desc, .dxg, .ntl, .erf, .gdb, .dmp, .vpk, .xml, .wsh, .py, .m4a, .wpd, .gho, .dazip, .slm, .bay, .y, .bkp, .tax, .w3x, .wbd, .csv, .wmv, .dng, .xmmap, .psk, .dba, .xwp, .vcf, .menu, .qdf, .zi, .xpm, .wp5, .pkpass, .accdb, .xlsx, .wire, .wot, .fpk, .sie, .raf, .cfr, .sav, .wma, .wps, .webp, .2bp, .litemod, .p7c, .snx, .itl, .bc7, .jpg, .pdf, .z3d, .r3d, .t13, .yml, .1, .mef, .wbk, .der, .sb, .fsh, .zw, .cas, .wmv, .1st, .bar, .blob, .sis, .mcmeta, .rofl, .ff, .crt, .bc6, .wsd, .wma, .srf, .ws, .pptx, .txt, .pem, .fos, .x3f, .wpw, .rgss3a, .syncdb, .x3d, .wpe, .vfs0, .itm, .re4, .sum, .sidn, .xlgc, .wpa, .arch00, .xxx, .dwg, .hplg, .sql, .wps, .cr2, .wcf, .xy3, .xdl, .odb, .cdr, .flv, .3ds, .yal, .pst, .sid, .crw, .png, .rtf, .mp4, .xls, .icxs, wallet, .ybk, .zdb, .xlsm, .ncf, .odc, .raw, .xll, .wdp, .wp, .eps, .jpe, .ai, .wpb, .wmo, .xlk, .wotreplay, .ods, .xmind, .xyw, .3fr, .mddata, .zdc, .webdoc, .srw, .wmd, .wgz, .wpl, .mdbackup, .css, .js, .lbf, .wpt, .iwd, .map, .bik, .kdb, .wb2, .odt, .rwl, .x3f, .avi, .pak, .dcr, .wp4, .dbf, .jpeg
Once a file is encrypted, its extension changed to .heroset. Next, the ransomware drops a file named ‘_readme.txt’. This file contain a note on how to decrypt all encrypted files. You can see an one of the variants of the ransom message below:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-7AKxZTQTdy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | Heroset |
Type | Filecoder, Crypto virus, Crypto malware, Ransomware, File locker |
Encrypted files extension | .heroset |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch, stoneland@firemail.cc, @datarestore (telegram) |
Ransom amount | $980, $490 in Bitcoins |
Symptoms | Unable to open photos, documents and music. All of your photos, documents and music have a odd file extension appended to the filenames. Files called such as ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file.. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
Distribution methods | Malicious e-mail spam. Drive-by downloads (ransomware is able to infect the machine simply by visiting a webpage that is running malicious code). Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a misleading link). Torrent web pages. |
Removal | To remove Heroset ransomware use the removal guide |
Decryption | To decrypt Heroset ransomware use the steps |
Instructions that is shown below, will help you to remove Heroset ransomware as well as restore (decrypt) encrypted files stored on your computer drives.
Quick links
- How to remove Heroset crypto malware
- How to decrypt .heroset files
- Use STOPDecrypter to decrypt .heroset files
- How to restore .heroset files
- How to protect your machine from Heroset crypto malware?
- Finish words
How to remove Heroset crypto malware
There are a few ways which can be used to remove Heroset. But, not all ransomware such as this crypto virus can be completely removed using only manual methods. In many cases you are not able to remove any crypto malware using standard MS Windows options. In order to remove Heroset you need use reliable removal tools. Most IT security experts states that Zemana Anti-malware, Malwarebytes or KVRT tools are a right choice. These free applications are able to scan for and get rid of Heroset crypto malware from your machine for free.
Remove Heroset ransomware with Zemana Anti-malware
Zemana Anti-Malware (ZAM) can locate all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Heroset crypto malware, you can easily and quickly remove it.
Download Zemana Anti-Malware (ZAM) by clicking on the link below. Save it on your Microsoft Windows desktop or in any other place.
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is done, close all windows on your PC system. Further, start the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the figure below, click the “Yes” button.
It will display the “Setup wizard” that will assist you install Zemana Anti Malware (ZAM) on the PC. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, Zemana will automatically launch and you may see its main window like below.
Next, click the “Scan” button to perform a system scan for the Heroset ransomware related files, folders and registry keys. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour.
As the scanning ends, a list of all items found is prepared. When you are ready, click “Next” button.
The Zemana Anti Malware (ZAM) will begin to delete Heroset ransomware virus, other malware, worms and trojans. When that process is done, you can be prompted to restart your machine.
How to remove .Heroset files virus with MalwareBytes
You can get rid of Heroset ransomware automatically through the use of MalwareBytes Free. We suggest this free malware removal tool because it can easily remove ransomware, trojans, worms, spyware and other malware with all their components such as files, folders and registry entries.
- Download MalwareBytes Anti-Malware on your PC by clicking on the following link.
Malwarebytes Anti-malware
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When the download is done, close all software and windows on your PC. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once installation is done, press the “Scan Now” button to perform a system scan for the .Heroset files virus and other security threats. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. While the MalwareBytes Anti-Malware (MBAM) utility is checking, you can see count of objects it has identified as being affected by malicious software.
- Once finished, MalwareBytes AntiMalware will open a list of found threats. Review the report and then press “Quarantine Selected”. After disinfection is done, you can be prompted to restart your system.
The following video offers a steps on how to remove hijackers, adware and other malicious software with MalwareBytes Free.
Remove Heroset crypto malware with KVRT
If MalwareBytes anti-malware or Zemana anti-malware cannot delete this ransomware virus, then we suggests to run the KVRT. KVRT is a free removal utility for crypto viruss, adware, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for checking your PC for the Heroset ransomware and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. During the scan Kaspersky virus removal tool will search for threats present on your personal computer.
After the scanning is complete, KVRT will create a list of undesired applications adware software as displayed below.
All found threats will be marked. You can remove them all by simply click on Continue to start a cleaning task.
How to decrypt .heroset files
The encryption method is so strong that it is practically impossible to decrypt .heroset files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($490, $980 in Bitcoins) creators of the Heroset ransomware for a copy of the private (encryption) key.
Should you pay the ransom? A majority of experienced security specialists will reply immediately that you should never pay a ransom if infected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all personal files!
With some variants of the Heroset ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .heroset files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.heroset).
Please check the twitter post for more info.
How to restore .heroset files
In some cases, you can recover files encrypted by Heroset ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Run ShadowExplorer to recover .heroset files
An alternative is to recover .heroset personal files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Microsoft Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing documents, photos and music that were locked by Heroset crypto virus. The instructions below will give you all the details.
Please go to the following link to download the latest version of ShadowExplorer for Microsoft Windows. Save it directly to your Microsoft Windows Desktop.
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.
Double click ShadowExplorerPortable to launch it. You will see the a window as displayed below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point as shown in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export as shown in the following example.
Run PhotoRec to restore .heroset files
Before a file is encrypted, the Heroset crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover applications such as PhotoRec.
Download PhotoRec by clicking on the following link.
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen as displayed in the following example.
Choose a drive to recover as shown in the following example.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed in the following example.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed on the screen below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from Heroset crypto malware?
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your machine from Heroset crypto malware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from Microsoft Windows XP to Windows 10.
HitmanPro.Alert can be downloaded from the following link. Save it to your Desktop.
Once downloading is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can select a level of protection, as on the image below.
Now click the Install button to activate the protection.
Finish words
Now your personal computer should be free of the Heroset crypto virus. Delete MalwareBytes Free and KVRT. We suggest that you keep Zemana Anti-Malware (ZAM) (to periodically scan your personal computer for new malware). Make sure that you have all the Critical Updates recommended for MS Windows operating system. Without regular updates you WILL NOT be protected when new ransomware virus, malicious software and adware are released.
If you are still having problems while trying to delete Heroset crypto malware from your PC system, then ask for help here.