HR virus Removal Guide
What is HR ransomware?
HR ransomware is a data locker that attacks Network-attached storage (NAS) devices via firmware vulnerabilities
HR ransomware is a data wiper that corrupts all the files on NAS device but asks for ransom for the recovery key
HR ransomware is malware that was first identified by a security researcher Amigo-A in early March 2020. While its main goal exactly the same as other file locking viruses – to make victims pay for the decryption tool, this ransomware's operation principle is a bit different – it only targets NAS (Network-attached storage) devices – so far, only Zyxel Nas326 model was seen being infected in the wild. Researchers believe that HR ransomware is injected into the machine using a firmware vulnerability that allowed the attackers to obtain root access.
HR ransomware developers ask users to pay 0.113 BTC to the 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX Bitcoin wallet and then email them via firstname.lastname@example.org to allegedly retrieve the decryption key that could unlock data. All the information is provided inside RANSOM_NOTE.txt file, which serves as message from the virus authors. Paying the ransom may be completely useless due to a different type of file modification method in comparison to regular ransomware infections.
|Type||Data wiper, ransomware|
|Distribution||Malicious actors spread the infection via NAS device' Zyxel firmware vulnerability – escalate privileges and then plant the malware|
|File extension||All data located on the NAS storage is appended with .HR or .hr.hr.hr file extension|
|Ransom note||RANSOM_NOTE.txt is left behind after file “encryption” process|
|Contact||Crooks ask victims to contact them via the email@example.com after the payment is made|
|Ransom size||0.113 BTC|
|File recovery||HR ransomware corrupts data, resizing each file to 77kb, so recovery software will not work. Even the attackers themselves may not have the working copies of files, so paying ransom is highly discouraged|
|Malware removal||Removing malware from NAS device is crucial in order to prevent it from encrypting the incoming files. For that, use anti-malware software|
|Recovery||If your system malfunctions after malware termination, scan it with ReimageIntego|
Unlike regular ransomware viruses that target desktop computers running Windows, HR ransomware goes for NAS devices. In the wild, most of the infections occur on regular machines and their connected networks, although there have been other file-locking malware that was targeting NAS systems before, such as Muhstik, DecryptIomega, and others. Similarly to HR ransomware, these infections were proliferated with the help of software vulnerabilities.
HR ransomware targets the most common file types on the NAS system, including .jpg, .doc, .txt, .dat, .ppt, .mp4, etc., in order to cause maximum damage to victims. However, instead of encrypting files with a secure encryption algorithm, HR virus damages files by replacing their content with a string sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf.
Each of such compromised files, regardless of its original size, turns into a 77kb size file and is appended with .HR or .hr.hr.hr extension. Despite that, researchers believe that the attackers may transfer the original files to their own servers, which may make the redemption possible. No documented recovery was yet tracked, although the Bitcoin wallet used by attackers already has two transactions.
After the encryption process, HR ransomware victims can find the following ransom note:
The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to firstname.lastname@example.org .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send “PAID” button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.
Unfortunately, due to the nature of the attack, believing cybercriminals should not be an option. Even if HR ransomware authors transfer all the healthy data to their own servers, it is important to note that their storage will run out of space eventually (NAS devices typically store a large amount of data).
HR ransomware is a type of malware that attacks NAS devices via firmware vulnerabilities
Nevertheless, because many users may be unaware of these circumstances, HR ransomware developers may use it as a means for blackmail. Those who pay the ransom may end up scammed. Unfortunately, the affected files located on the device are damaged, and no recovery software will retrieve them.
The best advice would be to remove HR ransomware from the machine to prevent the incoming data compromise. For that, victims should employ powerful security software and perform a full system scan. In case your system is malfunctioning even after HR ransomware removal, repair it with ReimageIntego.
Vulnerabilities allow malware to penetrate systems automatically
Software vulnerabilities are essentially “weak spots” within the code that can be used for various purposes. By exploiting these flaws, malicious actors can escalate privilege, disable security software, implant malware, and perform many other actions (depending on the severity of the vulnerability).
Vulnerabilities that are exploited in the wild are called Zero-day flaws, which means that they have not yet been fixed by the responsible party (essentially, developer of the software). Ransomware that attacks NAS devices is typically spread by using zero-days, so there is no way to mitigate the attack vector until the developer fixes the flaw and then releases a security patch.
Therefore, we strongly advise not using Zyxel Nas326 for the time being until the vulnerability is patched. As a minimal precautionary measure, the stored data should be backed on another storage device until the flaw is fixed.
HR ransomware changes the size of each of the file to 77kb and replaces the contents with sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf, corrupting data in the process
Delete the HR ransomware infection from your NAS device
Since HR ransomware virus is a relatively new infection, not much is known about its operation or even HR ransomware removal methods. Therefore, we first suggest to install a reputable anti-malware program and perform a full system scan via the App Center functionality. Additionally, you should also change all the passwords related to the device, remove unknown user accounts, get rid of unwanted apps, and set an access control list via Control Panel > Security > Security level.
However, if you could not remove HR ransomware from the system by using anti-malware, you might have to perform a full factory reset by going to the following path: Control Panel > Service > Maintenance > Configuration Backup > Factory Reset.
As for HR ransomware affected files, currently, there is no solution available, as the data gets corrupted. We suggest waiting till security researchers find out more about this data wiper.
Getting rid of HR virus. Follow these steps
Manual removal using Safe Mode
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove HR using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of HR. After doing that, click Next.
- Now click Yes to start system restore.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HR and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.