Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Nov 2016

How to remove Heimdall ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

The effects of Heimdall ransomware

Heimdall virus happens to be one of those cyber threats inspired by mythology. The crooks favor Norse mythology after continuously terrorizing the world with the family of ODIN, Locky, and Thor. This time they borrowed the name of Heimdall – the deity of dawn and light – for their ransomware image. The virus received more attention after its author published it in GitHub, open-source project network. There, he demonstrated its features. Though the ransomware is not expected to be released on the massive scale, there are already cases when some users were attacked by this virus. If this malware has befallen you as well, you need to remove Heimdall completely. More information about its elimination steps can be found below the article.

The ransomware has been created using PHP programming language. Though it differs in operation ways, the main principle is the same. Heimdall ransomware hides in a 482-line PHP file. Speaking of encryption techniques, it uses a specific variant of AES-128-CBS algorithm to encode personal data. Once the file-encrypting virus lands on a system, the file generates a graphical image of the ransom note. It presents email@email.com address as a distinctive label. The price of two bitcoins are asked in exchange for their files. The window also contains the tabs where “password for encrypted” and “password for decrypted” can be entered.

The screenshot of Heimdall virus

Interestingly, the ransomware places its script in $_SERVER[‘DOCUMENT_ROOT’] and encrypts the files in this folder.
The most destructive feature of this ransomware is that all files, regardless of their format might be corrupted, by the ransomware. Later on, you can identify the locked files by .heimdall extension. In this regard, the ransomware might be even more damaging than Locky which targets a wide range of files but not all. However, this ransomware suggests that the author might not be related with the crooks of the previously mentioned Locky. The ransom message itself differs from the ransom messages shown by the latter infection.

Though the developer created the ransomware for educational purposes, such behavior of publicly demonstrating the essential features might turn out negatively. There was the case with some variant of Apocalypse when the crook boasted about his creation on the darknet. However, such boasting was quickly spotted by famous virus researcher Fabian Wosar. After all, the ransomware was quickly taken down. Thus, .heimdall file extension virus also presents the signs of such amateur behavior which is opposed to the refined image of Locky. Specialists conclude that now, when the virus was presented as the project on GitHub, the chances of it becoming a global ransomware are low. However, there is a risk for other hackers to get some valuable knowledge for future cyber infections. Likewise, it is crucial how quickly you can initiate Heimdall removal. Employ FortectIntego to ensure complete eradication.

When does the virus hijack PCs?

Though the Brazilian developer of the hacker was asked to remove the ransomware from GitHub, the malware is still there. It means that Heimdall malware might not have been set free to roam on the world wide web yet. Nonetheless, when it comes to ransomware and their creators, it is naive to expect any drop of conscience. Even if the author does not deploy massive Heimdall hijack campaign, others might do it for him. However, now as the virus researchers get a hold of such virus, the ransomware might fail to reach its full destructive power. If it is published on the Internet, be careful not to carelessly open spam messages. They often happen to hide malicious .doc, .js, or .dll binaries containing the file-encrypting malware.

Easy Heimdall removal guide

If you somehow managed to get infected with Heimdall virus, we recommend using an anti-spyware application, for example, FortectIntego. This application deals with ransomware-type viruses effectively and ensures that all elements are completely eradicated. The security tool will remove Heimdall within a moment. Do not forget to update it. If you somehow find difficulties eliminating the threat, take a look at the below guidelines. After implementing the steps, you should be able to proceed with Heimdall removal.

3 comments

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.