Severity scale:  

HiddenTear ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

HiddenTear viruses dominate in the cyber space

The picture illustrating Hidden Tear virus

HiddenTear virus functions as the open-source crypto-malware. Originally, it was devised as ransomware used only for educational purposes[1]. The intention was merely ideological as the creator intended to manifest the file-encrypting with AES capabilities. 

However, it all went wrong as the free access to the source code gave multiple opportunities for malware developers to take advantage of it for their own malicious misdeeds. At the moment, 30% of all file-encrypting threats detected in June derive from this cyber menace.[2]

The credits for devising such “educational” threat belong to Turkish programmer named Utku Sen. He uploaded the infection as an open-source virus model in GitHub page for the first time in 2015[3].

Whether he anticipated the virus to evolve into a malware pattern for other hackers remains entirely a rhetoric question. Since its introduction, cyber criminals of various ilk exploited the programming code for their malicious intentions. 

The virus gave birth for dozens of threats: Winsec virus, a Portuguese version of the Hidden Tear, BlackRose, Karmen, Kampret, Mora Project, etc.[4]. Other countries' cyber villains manifest their capabilities as well.

Recently, a  couple of French[5] versions have been detected. Unlike other counterparts, the first variation contains very detailed payment site. After finishing the encryption procedure, it appends .locked file extension. Further instructions are delivered in READ_IT_FOR UNLOCK.txt and Tutoriel.bmp files. 

The second variation appends the same file extension but it introduces itself as VideoBelle ransomware. Interestingly, though the ransom note is written in French it demands 150 ransom in British pounds. 

While the majority of the variations are created to extort money, some versions of this malware are designed simply for enjoyment purposes. One of the recent variations included a photo of famous virus researchers Karsten Hahn's photos in the source code. Luckily, this version does not encrypt files.

Within such short period of existence, the heir of the malware – HiddenTear 2.0 dwells on the web as well. Indeed, it has developed into one of the biggest cyber issues.

On the other hand, IT professionals have devised a decrypter for this malware and the viruses based on this code. Note that HiddenTear removal must be performed before advancing to a file-decrypting procedure. Reimage or Malwarebytes Anti Malware is capable of completing efficient termination.

One of the main factors which have determined such wide-spread of the malware was its accessibility on the world wide web. The GitHub page with the pattern of the malware is accessible for everyone and does not require the access to Tor or dark web.

According to its author, HiddenTear malware uses the standard AES encryption method. It generates a public key. It is then transmitted to a remote Command and Control server. In order to decrypt files encoded with this tool, a special private key is required.

On the other hand, a certain level of programming knowledge is also needed. A web server, which supports Python, PHP, JavaScript and other variations of programming languages, is necessary to complete the configuration of the malware.

Despite the warnings not to use this malware other than educational needs, a string of Hidden Tear-based viruses have emerged recently. Exceptional feature unifies these threats: such virus does not have its GUI, Graphical user Interface. In other words, once the virus fully occupies the system, it creates a .txt file. Depending on the author, the ransom note may include an extensive description of the virus and the instructions how to get a virus.

Usually, users of the pattern code mention single-use email addresses for users to contact them. Certainly, a paid ransom should encourage the felons to retrieve the files. However, such cases are quite rare. Elaborating on GUI feature, WinSec ransomware sample negates the rule as it presents its unique interface in the Portuguese language.

Thus, it suggests that the availability of Hidden Tear ransomware also gives room for crafting more exquisite versions. One of the versions even targeted Pokemon Go players in Central Asia a while ago[6]

Versions of Hidden Tear malware:

HiddenTear 2.0 ransomware virus. This version of ransomware encrypts files and provides data recovery instructions in README.txt file. The ransom note tells that victims have to use a password in DecryptPassword.txt file that has been hidden somewhere in the targeted computer. However, the file is located in My Documents folder. Once you decrypt your files, you should also scan the computer with reputable security software.

Faizal ransomware virus. Malware spreads as a fake installer package of “Street Racing Club” game which is popular in Southeast Asia. However, ransomware mostly aims at Indonesian computer users. To the encrypted files, it appends .gembok file extension. Following data encryption, the virus delivers a ransom note called PENTING !!!.htm where cyber criminals ask to send a voucher code of 100.000 Indonesian Rupees to Nevertheless, the size of the ransom is not high (about $7.50); paying is not recommended.

Kindest ransomware virus. It’s an educational version of Hidden Tear ransomware. Instead of encrypting files, ransomware asks to show a YouTube video about file-encrypting viruses. Once people finishes watching the video, malware is supposed to delete itself. However, we also recommend scanning the computer with reputable security software to make sure that virus is gone.

FailedAccess ransomware virus. Also known as CryptoSomware virus, this cyber threat appends .FailedAccess file extension and demands to pay the ransom. However, victims of the ransomware can use StupidDecryptor and restore corrupted files for free. Thus, after the attack, the only thing you need to do is to perform virus removal.

Mordor ransomware virus. The virus uses AES-256 cryptography to damage files on the targeted computers. Once all files have the .mordor extension, it opens a ransom note from READ_ME.html file. Written in English, Japan, Italian, Chinese, Indian, Portuguese, French and German languages, the ransom note says that victims have to pay 0.07066407 BTC in order to recover the files. Undoubtedly, instead of paying, you should get rid of the virus.

Ruby ransomware virus. Behind this crypto-malware stands a hacker named Hayzam Sheriff. The virus is designed to append the .ruby file extension to each of the targeted data. Once this hazardous task is done, malware automatically opens a ransom note rubyLeza.html. However, author of the virus does not reveal how much Bitcoins victims have to transfer. Thus, there‘s nothing else left to do, just remove Ruby from the PC.

GruxEr ransomware virus. This variant of HiddenTear uses three executables to run different malicious programs on the affected computer: TEARS.exe, WORM.exe, and GRUXER.exe. Nevertheless, malware encrypts numerous file of types; the priority is JPG files. Cyber criminals provide data recovery instructions in READ_IT.txt file and run a program window. In order to decrypt corrupted data, victims are asked to pay $250 in Bitcoins.

Decryption Assistant ransomware virus. This malware spreads as a fake Adobe Flash Player update. Once victim installs it, ransomware starts encrypting files and appending the .pwned file extension to each of them. Then it runs a program window that includes data recovery instructions and the timer that shows how much time left to pay the ransom. However, you‘d better hurry up with virus removal.

MoWare H.F.D ransomware virus. The significant feature of the ransomware is added file extension – .H_F_D_locked file extension. Then malware informs about the possibility to obtain decryption software for 0.02 Bitcoins. However, if users do not take this offer within 4 days, the size of the ransom will increase to 0.05 Bitcoins. After transferring the money, victims need to contact hackers via and send their Bitcoin transaction ID. However, following these instructions may lead to financial loss.

Crying ransomware virus. This file-encrypting virus enters the system as ECRYING.exe file and starts encrypting files with AES cryptography. After encryption, all targeted files have .crying file extension. It also installs a ransom note called READ_IT.txt and runs a program window where authors of Crying malware gives Bitcoin wallet address where victims have to transfer the ransom.

R3store ransomware virus. The virus marks targeted files with .r3store file extension that prevents victims from using them. It downloads a ransom note called READ_IT.txt to each folder that includes encrypted data. The ransom-demanding message reveals that data recovery with hackers‘ software costs $450. However, no one can guarantee that this tool is actually working.

Resurrection ransomware virus. It encrypts files with AES-256 cipher and adds .(random).resurrection file extension to the targeted data. Once it‘s done, ransomware opens the README.html file in browser‘s window. Here cyber criminals ask to contact them via and transfer 1.77 Bitcoin in order to get a decryption key.

Executioner ransomware virus. It’s a Turkish version of Hidden Tear malware. It appends a random file extension to encrypted files and provides ransom payment instructions in .txt and .html files. The Sifre_Cos_Talimat.html informs that victims have to contact attackers and send 150 in Bitcoins. However, doing this is not necessary because malware is decryptable.

KKK ransomware virus. Malware spreads as an obfuscated Facebook.exe file. Undoubtedly, the file name is tricky and misleading. Once this payload is downloaded to the system, malware starts data encryption and adds .KKK file extension to targeted files. Then malware runs an “Information” window that provides instructions how to redeem encrypted files. To get back their files, people have to transfer 0.05 bitcoins (not recommended).

BeethoveN ransomware virus. The virus is designed to encrypt files using a combination of AES and RSA ciphers. It appends .beethoveN extension to each of the targeted file. Once it's done malware delivers ransom payment instructions in the FILEUST.tx file and program window. Victims are supposed to transfer the ransom within 168 hours (not recommended).

CryMore ransomware virus. The hacker named “TMC” was inspired by WannaCry and make a virus which name resembles the infamous cyber threat. Ransomware uses AES encryption to lock the most popular types of files on the affected computer. In the poorly written ransom note, victims are asked to pay the ransom within 12 hours. Later the demanded sum of money will increase.

CryptoGod ransomware virus. During data encryption, the virus adds .payforunlock file extension to each of the targeted document, audio, video, image and other files. The ransom note tells of paying 0.03 BTC for data recovery. The size of the payment will increase up to 0.05 Bitcoins after provided deadline. After the transaction, victims have to send an email to However, you may not receive an answer and help to restore your files.

$usyLocker ransomware virus. This variant of HiddenTear is executed from VapeHacksLoader.exe. After infiltration, malware encrypts data and appends .WINDOWS file extension. In the ransom note called READ_IT.txt criminals inform that victims have to pay 0.16 Bitcoins. However, it’s a risky business that may lead to money loss.

CryForMe ransomware virus. The virus pretends to be related to the infamous WannaCry ransomware. Malware is executed from CryForMe.exe. On the affected device it starts data encryption procedure immediately. When all targeted files are secured, the malware runs a blue ransom-demanding window. Cyber criminals ask to pay €250 in bitcoins within 7 days time.

Mora Project ransomware virus. This variant of Hidden Tear prevents victims from opening their files by appending .encrypted file extension. People are suggested to use The-decrypter.exe program to recover their files for $40.000. However, following the instructions provided in ReadMe_Important.txt file is not recommended.

FlatChestWare ransomware virus presents a few interesting features. While the operation mode does not differ much from its previous versions, as it encodes files and appends .flat file extension to the affected data, it displays a fake Windows UAC message.

After you open the FlatChestWare.exe file gets executed, the malware will prompt a User Account Message asking you to restart the system in order for the supposed Windows update to complete successfully. Note that there the genuine Windows Update messages slightly differ. Latest messages do not remind you to save data.

Furthermore, in Windows 10 systems such messages do not appear anymore. A similar message appeared due to the bug in 2918614. It seems that the developer – the fan of anime – failed to make the malware a full-fledged malware as this version is decryptable. 

Distribution methods remain the same

Another feature for the malware which contributed to the success of the malware was its transmission techniques. Mainly, it traveled as an email attachment appended to “urgent” and “highly important” emails. Some users may even get alarmed with fake notifications from a tax institution or the FBI.

Thus, do not rush to unwrap such attached file before verifying the sender. You may also pay attention to certain details which hint the origin of the message: grammar mistakes, types and altered credentials. 

Furthermore, trojans also facilitate HiddenTear hijack. In order to reduce the risk of such infiltration, combine your anti-virus app with anti-spyware software. Regardless of the claims about the immunity to AV programs, the majority of HiddenTear variations are detectable[7].

Steps to terminate HiddenTear infection

When it comes to the original version of Hidden Tear virus or a derivative version, brush aside the idea to terminate it manually. The malware is capable of disguising its source files and processes so manual eradication may not be successful. Thus, let a cyber security application remove HiddenTear.

While the original version hardly behaves as a screen locking threat, some of the newer ones may disable specific system functions which result in a lock screen. In that case, benefit from the below instructions. Once you regain full control, continue HiddenTear removal with the help reputable security software.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove HiddenTear ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall HiddenTear ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual HiddenTear virus Removal Guide:

Remove HiddenTear using Safe Mode with Networking

Recover the access to all computer functions with Safe Mode function.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove HiddenTear

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete HiddenTear removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove HiddenTear using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of HiddenTear. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that HiddenTear removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove HiddenTear from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by HiddenTear, you can use several methods to restore them:

Data Recovery Pro method

This program claims to be able not only recover the encrypted files but lost emails as well.

The benefit of ShadowExplorer

Despite the popularity of HiddenTear virus, it hardly deletes shadow volume copies – the tool for Shadow Explorer to recover your encoded data. 

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Hidden Tear Decrypter

You can now decrypt the majority of viruses originating from this malware. There are two alternative versions:

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HiddenTear and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


  • boogieman

    Finally decrypted!

  • Ellis47

    Decryptor failed 🙁

  • metalLbruce

    I hope, the end for this malware is near.