What is Happychoose file extension
.Happychoose file extension is a file extension that is used by the latest variant of GlobeImposter ransomware. ‘Happychoose’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.happychoose’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data.
What is Happychoose ransomware
Happychoose ransomware is one of the variants of the GlobeImposter ransomware. It appends the ‘.Happychoose’ extension to each file that it encrypts using a complex encryption mechanism. As its previous variants, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, Happychoose starts working in the background immediately. First of all, the virus configures the Windows so that it starts automatically every time the computer is turned on. Happychoose ransomware uses this mechanism to continue encrypting files if it was interrupted by turning off or restarting the computer. Further, the ransomware contacts its control server to send information about the infected computer and receive additional commands.
After all the preparatory steps are completed, Happychoose proceeds to the main thing, it begins to encrypt files. All files will be encrypted, regardless of where they are located, on the local disk or on a network-connected disk. That is, the contents of the following common file types can be encrypted:
.py, .xyp, .forge, .wps, .rw2, .ws, .sr2, .ntl, .flv, .arch00, .vdf, .nrw, .fos, .dazip, .pak, .xx, .der, .sav, .mcmeta, .wot, .bik, .pptm, .zip, .kf, .bsa, .xlsx, .zi, .eps, .wav, .wbk, .dcr, .docx, .r3d, .vcf, .xlsm, .wmo, .webp, .p7b, .tax, .xar, .mpqge, .wmd, .raf, .2bp, .yal, .lbf, .ods, .wpa, .zw, .litemod, .bkp, .iwd, .ff, .pdd, .wpe, .zif, .wma, .svg, .snx, .wbz, .vtf, .rb, .sie, .zip, .jpg, .sb, .wsh, .xlsx, .x, .itl, .desc, .css, .xdb, .p7c, .wotreplay, .y, .dba, .gdb, .wmv, .layout, .slm, .wdb, .xpm, .wpl, .wgz, .xxx, .xml, .dng, .doc, .0, .hkdb, .wp, .tor, .mov, .xbplate, .wdp, .mdbackup, .fpk, .sql, .xlsb, .blob, .jpeg, wallet, .ibank, .z3d, .psk, .1st, .map, .csv, .orf, .apk, .sis, .xld, .erf, .xwp, .bay, .pptx, .bc7, .ltx, .pst, .ptx, .rwl, .ncf, .big, .zdb, .webdoc, .wpw, .crt, .cdr, .3dm, .mddata, .sidn, .wsd, .odp, .z, .7z, .pdf, .xls, .yml, .xyw, .odm, .zdc, .hkx, .wbm, .accdb, .wri, .wp7, .x3f, .dwg, .itdb, .hvpl, .mef, .wpt, .bc6, .raw, .rofl, .ztmp, .ybk, .odt, .das, .iwi, .odb, .ppt, .pem, .wbc, .rgss3a, .sum, .indd, .wp5, .dmp, .mlx, .menu, .3ds, .3fr, .wm, .w3x, .ysp, .pfx, .wire, .rtf, .txt, .wp4, .mrwref, .esm, .re4, .wma, .dbf, .m4a, .wpb, .xbdoc, .qic, .epk, .xy3, .png, .t12, .mp4, .xmmap, .wpd, .mdf, .m2, .cer, .wpg, .docm, .x3f, .dxg, .psd, .lvl, .x3d, .js, .upk, .wp6, .xlgc, .xlk, .zabw, .wmv, .xf, .xll, .pef, .wbd, .t13, .srw, .odc, .d3dbsp, .1, .xmind, .gho, .qdf, .vpk, .wbmp, .p12, .xdl, .wb2, .xlsm, .wmf, .wps, .vfs0
When a file is encrypted, the ‘.happychoose’ extension is appened at the end of its name, that is, if you had a file called ‘document.docx’, then a file with the name ‘document.docx.happychoose’ will appear in its place. If you change the file name, just delete the appended extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
The Happychoose ransomware creates a file with the name “Decryption INFO.html” on the infected computer. This file contains a message from the ransomware authors. The full text of this file is:
ALL YOUR FILES ARE ENCRYPTED!
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file happychoose@cock.li or happychoose2@cock.li.
In the letter include YOUR ID (look at the beginning of this document).We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Attention!Only happychoose@cock.li or happychoose2@cock.li can decrypt your files
Do not trust anyone happychoose@cock.li or happychoose2@cock.li
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user’s unique encryption key
Criminals use the files to demand ransom from the Happychoose ransomware victims. The ransom demand message said that the victim’s files are encrypted. The authors of the ransomware demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt one image or text file for free. Of course, decryption of one file cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Threat Summary
Name | Happychoose ransomware |
Type | Ransomware, Crypto malware, Crypto virus, Filecoder, File locker |
Encrypted files extension | .happychoose |
Ransom note | Decryption INFO.html |
Contact | happychoose@cock.li, happychoose2@cock.li |
Ransom amount | $500-$1500 in Bitcoins |
Detection Names | Trojan.Ransom.GlobeImposter, Trojan[Ransom]/Win32.GlobeImposter, Generic.Ransom.GlobeImposter.BAD24D9BD, Trojan.Mauvaise.SL1, TrojWare.Win32.Necne.AB@7l2s58, W32/Ransom.TEQX-8093, Win32/Filecoder.FV, Globelmposter!2D289492706B, Ransom.GlobeImposter!1.A538 (CLASSIC), Ransom_FAKEGLOBE.SMB |
Symptoms | Cannot open files stored on the computer. Your documents, photos and music now have odd extensions that end with something like .locked, .crypted or .cryptor. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Desktop background is changed to the ransom note. |
Distribution methods | Malicious spam (also known as ‘malspam’). Malicious downloads that happen without a user’s knowledge when they visit a compromised web site. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a suspicious link). USB stick and other removable media. |
Removal | Happychoose ransomware removal guide |
Recovery | Happychoose File Recovery Guide |
As we have already said, the Happychoose ransomware is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt the encrypted files, and just have not found a 100% way to protect the user’s computers, indicates the complexity of the ransomware virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove Happychoose ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Happychoose ransomware, Restore .Happychoose files
If you encounter the malicious actions of ransomware, and your files have been encrypted with ‘.Happychoose’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove Happychoose ransomware virus
- How to decrypt .happychoose files
- How to restore .happychoose files
- How to protect your PC from Happychoose ransomware
How to remove Happychoose ransomware virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The right way is to go step by step: scan your computer for ransomware, detect and remove Happychoose virus, decrypt (restore) files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Happychoose. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the Happychoose ransomware was found and completely removed.
Use Zemana to remove Happychoose ransomware virus
Zemana Anti-Malware is one of the best in its class, it can scan for and remove various security threats, including adware, crypto malware, trojans, worms, spyware and malicious software that masqueraded as legitimate computer applications.
Zemana Free can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.
164105 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is finished, close all apps and windows on your PC. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you set up Zemana Anti Malware on your PC system. Follow the prompts and don’t make any changes to default settings.
Once setup is finished successfully, Zemana Anti Malware (ZAM) will automatically start and you can see its main screen as on the image below.
Now press the “Scan” button to detect the Happychoose ransomware virus, other malicious software, worms and trojans. This process can take some time, so please be patient.
Once the scan get finished, Zemana AntiMalware will show a screen which contains a list of malicious software that has been found. Next, you need to click “Next” button. The Zemana will remove Happychoose ransomware virus and other security threats and move the selected threats to the Quarantine. After disinfection is finished, you may be prompted to restart the system.
Remove Happychoose with MalwareBytes Free
You can remove Happychoose virus automatically with a help of MalwareBytes. We recommend this malware removal utility because it can easily remove ransomware, adware, spyware, trojans, womrs and other malware with all their components such as files, folders and registry entries.
First, visit the page linked below, then press the ‘Download’ button in order to download the latest version of MalwareBytes.
326460 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is done, run it and follow the prompts. Once installed, the MalwareBytes AntiMalware will try to update itself and when this procedure is complete, click the “Scan Now” button for checking your personal computer for the Happychoose ransomware virus related folders,files and registry keys. This procedure can take quite a while, so please be patient. When a threat is detected, the number of the security threats will change accordingly. Next, you need to press “Quarantine Selected” button.
The MalwareBytes Anti Malware (MBAM) is a tool that you can use to remove malware-related files, services, registry entries and so on for free. To learn more about this malware removal utility, we suggest you to read and follow the tutorial or the video guide below.
Use KVRT to remove Happychoose
Kaspersky virus removal tool (KVRT) is a free portable program that scans your machine for spyware, ransomware, adware software, PUPs, trojans, worms, malicious software and helps uninstall them easily. Moreover, it’ll also allow you delete any other security threats for free.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button for checking your PC system for the Happychoose ransomware and other malicious software. This process can take quite a while, so please be patient. While the Kaspersky virus removal tool is scanning, you may see how many objects it has identified either as being malware.
Once Kaspersky virus removal tool has finished scanning your computer, Kaspersky virus removal tool will show you the results as displayed in the following example.
Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to start a cleaning procedure.
How to decrypt .happychoose files
Files with the extension ‘.happychoose’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by the Happychoose ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the Happychoose ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Happychoose ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .happychoose files
If all your files are encrypted with .happychoose file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to recover .happychoose files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Restore .happychoose encrypted files using Shadow Explorer
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Happychoose ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Please go to the link below to download ShadowExplorer. Save it to your Desktop.
438805 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder such as the one below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the Happychoose crypto virus as shown in the following example.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as displayed in the following example.
Run PhotoRec to restore .happychoose files
There is another way to recover the contents of the encrypted files. This method is based on using a data recovery tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your computer from the following link.
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed on the screen below.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as shown on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents similar to the one below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your system from Happychoose crypto virus?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from Windows XP to Windows 10.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of HitmanPro Alert.
When the downloading process is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is started, you’ll be shown a window where you can choose a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of Happychoose ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .Happychoose files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Happychoose virus related issues, go to here.