Hets file extension
.Hets file extension is the mark that a new STOP (Djvu) ransomware variant applies to files that have been encrypted. Thus, if you find files with this file extension on your computer’s drive, then you’re the victim of a ransomware attack. You are not the first victim of this virus, security researchers have already reported on other cases of Hets infection. It encrypts files during infection, and then changes their filename. For example, a file named ‘
image.jpg‘, after encryption by this ransomware, will have the name
image.jpg.hets. If you rename files or remove the new extension, this will not unlock the files, they will remain encrypted.
Hets virus is a ransomware that uses a very strong encryption mode and a long key to encrypt files. This eliminates the possibility of determining the key or breaking it. For each case of infection, a new key is used, so the key from one computer will not work for another. There is one exception to this rule: if Hets virus could not establish a connection with its command server before encrypting the files, then it uses a fixed key. Researchers called this type of key an ‘offline key’. This key is the same for all victims, which makes it possible to use it to decrypt files, regardless of where they were encrypted.
During encryption, files located on local disks, network drives, and connected devices will be encrypted. Windows system files are excluded from the encryption process in order not to block the normal operation of the computer. In addition, the virus does not encrypt files with the extension .ini, .sys, .dll, .lnk, .bat and the filename ‘_readme.txt’. Hets can encrypt almost any type of file, including the following:
.rtf, .ysp, .wb2, .xx, .desc, .ybk, .tax, .eps, .xdb, .rofl, .xlsx, .wpg, .wpt, .xlsm, .wav, .d3dbsp, .wgz, .ntl, .doc, .x, .xlgc, .sidd, .ai, .wri, .sie, .xpm, .dcr, .ppt, .cer, .wp4, .pak, .wn, .sid, .psk, .2bp, .xmind, .z3d, .itm, .t13, .pfx, .forge, .xlsm, .wsh, .bsa, .avi, .xlk, .nrw, .rb, .indd, .xlsx, .ff, .wotreplay, .wbmp, .wpa, .psd, .db0, .ltx, .css, .3ds, .xbplate, .p7b, .pem, .flv, .1, .asset, .das, .apk, .wsc, .qic, .yal, .sb, .pptm, .zdc, .fsh, .dba, .syncdb, .wot, .vfs0, .wp5, .dng, .pptx, .wdp, .bc7, .sr2, .wp7, .xld, .odt, .vtf, .wmf, .wpb, .wpw, .fos, .wm, .wp6, .sidn, .dbf, .fpk, .pdf, .sql, .xmmap, .re4, .xyw, .odm, .webp, .1st, .arch00, .bar, .ncf, .xml, .m4a, .pef, .hplg, .dazip, .litemod, .svg, .y, .wps, .rwl, .zdb, .hvpl, .bkf, .xls, .z, .xf, .ibank, .kdc, .ztmp, .snx, .odp, .raf, .rw2, .3fr, .gdb, .wpl, .hkx, .wmd, .layout, .wma, .xll, .accdb, .zi, .jpg, .jpeg, .mrwref, .js, .arw, .wpd, .pkpass, .csv, .mlx, .xbdoc, .3dm, .vdf, .jpe, .vpp_pc, .txt, .hkdb, .orf, .sav, .7z, .rgss3a, .rar, .wdb, .xls, .t12, .ptx, .wmv, .blob, .zw, .ods, .esm, .cfr, .iwd, .py, .erf, .odb, .lvl, .mdbackup, .big, .wbm, .wpe, .wbc, .vpk, .mpqge, .docm, .mdf, .p7c, .ws, .wire, .kf, .cas, .slm, .w3x, .wmo, .bik, .itdb, .dmp, .raw, .mddata, wallet, .xy3, .zip, .srf, .zabw, .docx, .vcf, .gho, .srw, .wmv, .xdl, .xxx, .wsd, .zip, .cdr, .rim, .kdb, .wps, .pdd, .pst, .cr2, .webdoc, .icxs, .map, .sum, .wma, .xyp, .yml, .x3f, .wbz, .0, .wpd, .bay, .lrf, .mcmeta, .crw, .menu, .iwi, .mp4, .x3d, .wbk, .crt, .r3d, .xlsb, .png, .wp, .upk, .m3u, .wbd, .epk, .odc, .bc6, .mef, .itl, .lbf, .der, .x3f, .sis, .dwg, .wcf, .zif, .mdb, .mov, .bkp, .qdf, .xar, .p12
Hets virus encrypts file by file, directory by directory, drive by drive. In each directory where there is at least one encrypted file, a new file is created with the name ‘_readme.txt’. This file is so called ‘ransom demand message’ that was created by Hets authors and is necessary to explain to the victim why the files do not open in associated programs and how to restore access to the files, that is, how to decrypt them. The victim is informed that all the files were encrypted and that the only way to decrypt them is to buy a key, that is, to pay a ransom. If the victim pays the ransom within 72 hours, then the attackers are ready to make a discount of 50%. Below we give an example of a similar message:
The criminals behind Hets virus offer to write them an email letter in response to which they will give the address to which the ransom will need to be transferred. To remain anonymous, most often, attackers use a bitcoin wallet to obtain ransom from the victim. Although attackers offer to decrypt one file for free in order to confirm the possibility of decrypting files, there is no guarantee that after receiving a ransom, they will provide the key necessary to decrypt all files.
|Type||Crypto malware, Ransomware, Filecoder, Crypto virus, File locker|
|Encrypted files extension||.hets|
|Ransom amount||$490/$980 in Bitcoins|
|Symptoms||Files encrypted with .hets file extension. Your photos, documents and music fail to open. Files called such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file.|
|Distribution ways||Phishing Emails that is carefully made to trick a victim into opening an attachment or clicking on a link that contains a harmful file. Drive-by downloading (when a user unknowingly visits an infected webpage and then malware is installed without the user’s knowledge). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a misleading link). Torrent web-pages. Adware|
|Removal||Hets virus removal guide|
|Decryption||How to decrypt .Hets files|
Hets is not the first of its kind and probably not the last. Almost every day new ransomware is created. Only in the last week we have reported several, such as Msop, Rote and Zobm. All of these malicious programs combine similar symptoms. They encrypt files and demand ransom for decrypting them. Ransomware authors leave ransom note in a file that is located in directories with encrypted files, but there are often cases when ransom demand message is placed on the desktop, replacing the background. The ransom amount varies from a few hundred dollars to several tens of thousands in case of infection of any large organization. In all cases, it is not possible to decrypt files manually, this is practically impossible. But this does not mean that the victim is left alone with his problem. Anti-virus companies and independent experts analyze the ransomware code and try to create a decryptor that helps victims decrypt their files.
In case of Hets infection, you can use the free decryptor created by Emsisoft to decrypt the affected files. In addition to this decryptor, you can use several alternative methods, each of which can help restore the contents of encrypted files.
- How to remove Hets ransomware virus
- How to decrypt .hets files
- How to restore .hets files
- How to protect your personal computer from Hets ransomware virus?
- To sum up
How to remove Hets ransomware virus
There are not many good free antimalware applications with high detection ratio. The effectiveness of malicious software removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malicious software. We recommend to run several programs, not just one. These programs which listed below will help you remove all components of the Hets ransomware virus from your disk and Windows registry.
How to remove Hets ransomware virus with Zemana AntiMalware
Zemana AntiMalware is a free malicious software removal utility. Currently, there are two versions of the tool, one of them is free and second is paid (premium). The principle difference between the free and paid version of the utility is real-time protection module. If you just need to check your system for malicious software and remove Hets ransomware related folders,files and registry keys, then the free version will be enough for you.
- Installing the Zemana is simple. First you’ll need to download Zemana Free from the following link. Save it on your Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After the download is complete, close all applications and windows on your personal computer. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once install is complete, press the “Scan” button . Zemana AntiMalware (ZAM) application will scan through the whole system for the Hets crypto virus related folders,files and registry keys. This task can take quite a while, so please be patient. During the scan Zemana Anti-Malware will detect threats exist on your personal computer.
- When Zemana Free has finished scanning your personal computer, Zemana Anti Malware will display a list of detected threats. Make sure all threats have ‘checkmark’ and click “Next”. After that process is done, you can be prompted to restart your computer.
How to delete Hets with MalwareBytes
We suggest using the MalwareBytes AntiMalware which are fully clean your PC of the crypto malware. This free tool is an advanced malware removal program made by (c) Malwarebytes lab. This program uses the world’s most popular anti malware technology. It’s able to help you delete crypto malware, potentially unwanted apps, malware, adware software, toolbars, and other security threats from your system for free.
- Download MalwareBytes AntiMalware on your Windows Desktop by clicking on the following link.
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web browser will display the “Save as” prompt. Please save it onto your Windows desktop.
- Once the download is complete, please close all software and open windows on your PC. Double-click on the icon that’s called mb3-setup.
- This will run the “Setup wizard” of MalwareBytes Anti-Malware onto your computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes AntiMalware (MBAM) will run and open the main window.
- Further, click the “Scan Now” button to perform a system scan for the Hets crypto malware related folders,files and registry keys. This procedure can take some time, so please be patient. When a malicious software, adware or trojans are detected, the count of the security threats will change accordingly.
- When the scanning is complete, MalwareBytes AntiMalware will display a list of all threats found by the scan.
- Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press the “Quarantine Selected” button. Once the task is finished, you may be prompted to restart the PC.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Scan your system and remove Hets with KVRT
If MalwareBytes anti-malware or Zemana anti-malware cannot remove this crypto malware, then we recommends to run the KVRT. KVRT is a free removal tool for crypto malwares, adware, potentially unwanted software and toolbars.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it to your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is complete, you will see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to scan for Hets ransomware . This process can take some time, so please be patient.
As the scanning ends, Kaspersky virus removal tool will display a scan report as displayed on the screen below.
Review the report and then press on Continue to start a cleaning task.
How to decrypt .hets files
All files that have the extension ‘.hets’ are files that were encrypted during the ransomware attack. Their contents cannot be unlocked without a key and a decryptor. Fortunately, a free decryptor has been created that can help you decrypt .hets files.
To decrypt .hets files, use free STOP (Hets) decryptor
- Download STOP (hets) decryptor from the following link.
STOP Djvu decryptor
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
If STOP decryptor skips .hets files, saying that they cannot be decrypted, then these files are encrypted with an online key. Unfortunately, at the moment, this decryptor can only decrypt files encrypted with an offline key.
How to find out which key was used to encrypt files
There are two ways to determine the type of key that Hets virus used to encrypt files. First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note).
Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Hets virus stores the Personal IDs used for encryption.
The ‘Perosnal ID’ is not a key, it is a set of characters by which everyone can find out which key was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, then Hets used an online key. If you could not understand which key was used to encrypt the files, then we can help you. Just write a request in the comments below.
What to do if STOP (hets) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .hets files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .hets files
Fortunately, there is little opportunity to recover personal files which have been encrypted by Hets crypto malware. Data recovery utilities can help you! Many victims of various ransomware infections, using the steps described below, were able to recover their files. In our instructions, we recommend using only free and tested apps called PhotoRec and ShadowExplorer. The only thing we still want to tell you before you try to recover encrypted .hets files is to check your computer for active ransomware using free malware removal tools. These free programs will help you find and remove Hets virus completely.
Use shadow copies to restore .hets files
The MS Windows has a feature named ‘Shadow Volume Copies’ that can allow you to restore .hets files encrypted by crypto malware. The method described below is only to restore encrypted photos, documents and music to previous versions from the Shadow Volume Copies using a free tool called the ShadowExplorer.
Click the following link to download the latest version of ShadowExplorer for Microsoft Windows. Save it to your Desktop.
Category: Security tools
Update: September 15, 2019
When downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window like below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as displayed on the screen below.
Recover .hets files with PhotoRec
There is another very good way to recover .hets files – use a tool that finds and restores deleted files. We recommend using PhotoRec. This is one of the few programs that allows you to do this for free. The reason that allows you to recover encrypted files using this method is simple – when you or any program, including the ransomware, deletes the file, this file is not deleted, the Windows OS marks it as deleted and hides it. PhotoRec finds such deleted files and restores them. Thus, at the output, you get files in an unencrypted state. The only thing I want to draw your attention to is that the less you used your computer after ransomware infection, the higher your chance of recovering encrypted files.
Download PhotoRec on your Microsoft Windows Desktop from the following link.
Category: Security tools
Update: March 1, 2018
Once the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as shown below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files like below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored personal files should be written, then click Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from Hets ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from MS Windows XP to Windows 10.
First, please go to the link below, then click the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
Category: Security tools
Update: March 6, 2019
When the downloading process is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is started, you will be shown a window where you can select a level of protection, similar to the one below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of Hets ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .hets files; how to recover files, if STOP (Hets) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Hets related issues, go to here.