Severity scale:  

Remove HR ransomware (Virus Removal Guide) - Free Instructions

removal by Linas Kiguolis - - | Type: Ransomware

HR ransomware is a data locker that attacks Network-attached storage (NAS) devices via firmware vulnerabilities

HR ransomwareHR ransomware is a data wiper that corrupts all the files on NAS device but asks for ransom for the recovery key

HR ransomware is malware that was first identified by a security researcher Amigo-A in early March 2020. While its main goal exactly the same as other file locking viruses – to make victims pay for the decryption tool, this ransomware's operation principle is a bit different – it only targets NAS (Network-attached storage) devices – so far, only Zyxel Nas326 model was seen being infected in the wild. Researchers believe that HR ransomware is injected into the machine using a firmware vulnerability that allowed the attackers to obtain root access.

HR ransomware developers ask users to pay 0.113 BTC to the 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX Bitcoin wallet and then email them via to allegedly retrieve the decryption key that could unlock data. All the information is provided inside RANSOM_NOTE.txt file, which serves as message from the virus authors. Paying the ransom may be completely useless due to a different type of file modification method in comparison to regular ransomware infections.

Name HR ransomware
Type Data wiper, ransomware
Distribution Malicious actors spread the infection via NAS device' Zyxel firmware vulnerability – escalate privileges and then plant the malware
File extension  All data located on the NAS storage is appended with .HR or file extension
Ransom note RANSOM_NOTE.txt is left behind after file “encryption” process
Contact Crooks ask victims to contact them via the after the payment is made
Ransom size 0.113 BTC
Bitcoin wallet 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX 
File recovery  HR ransomware corrupts data, resizing each file to 77kb, so recovery software will not work. Even the attackers themselves may not have the working copies of files, so paying ransom is highly discouraged
Malware removal  Removing malware from NAS device is crucial in order to prevent it from encrypting the incoming files. For that, use anti-malware software 
Recovery If your system malfunctions after malware termination, scan it with Reimage Reimage Cleaner Intego

Unlike regular ransomware viruses that target desktop computers running Windows, HR ransomware goes for NAS devices. In the wild, most of the infections occur on regular machines and their connected networks, although there have been other file-locking malware that was targeting NAS systems before, such as MuhstikDecryptIomega, and others. Similarly to HR ransomware, these infections were proliferated with the help of software vulnerabilities.

HR ransomware targets the most common file types on the NAS system, including .jpg, .doc, .txt, .dat, .ppt, .mp4, etc., in order to cause maximum damage to victims. However, instead of encrypting files with a secure encryption algorithm,[1] HR virus damages files by replacing their content with a string sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf. 

Each of such compromised files, regardless of its original size, turns into a 77kb size file and is appended with .HR or extension. Despite that, researchers believe that the attackers may transfer the original files to their own servers, which may make the redemption possible. No documented recovery was yet tracked, although the Bitcoin wallet used by attackers already has two transactions.[2]

After the encryption process, HR ransomware victims can find the following ransom note:

The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send “PAID” button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.


Unfortunately, due to the nature of the attack, believing cybercriminals should not be an option. Even if HR ransomware authors transfer all the healthy data to their own servers, it is important to note that their storage will run out of space eventually (NAS devices typically store a large amount of data).

HR ransomware virusHR ransomware is a type of malware that attacks NAS devices via firmware vulnerabilities

Nevertheless, because many users may be unaware of these circumstances, HR ransomware developers may use it as a means for blackmail. Those who pay the ransom may end up scammed. Unfortunately, the affected files located on the device are damaged, and no recovery software will retrieve them.

The best advice would be to remove HR ransomware from the machine to prevent the incoming data compromise. For that, victims should employ powerful security software and perform a full system scan. In case your system is malfunctioning even after HR ransomware removal, repair it with Reimage Reimage Cleaner Intego.

Vulnerabilities allow malware to penetrate systems automatically

Software vulnerabilities are essentially “weak spots” within the code that can be used for various purposes. By exploiting these flaws, malicious actors can escalate privilege, disable security software, implant malware, and perform many other actions (depending on the severity of the vulnerability).

Vulnerabilities that are exploited in the wild are called Zero-day[3] flaws, which means that they have not yet been fixed by the responsible party (essentially, developer of the software). Ransomware that attacks NAS devices is typically spread by using zero-days, so there is no way to mitigate the attack vector until the developer fixes the flaw and then releases a security patch.

Therefore, we strongly advise not using Zyxel Nas326 for the time being until the vulnerability is patched. As a minimal precautionary measure, the stored data should be backed on another storage device until the flaw is fixed.

HR ransomware encrypted filesHR ransomware changes the size of each of the file to 77kb and replaces the contents with sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf, corrupting data in the process

Delete the HR ransomware infection from your NAS device

Since HR ransomware virus is a relatively new infection, not much is known about its operation or even HR ransomware removal methods. Therefore, we first suggest to install a reputable anti-malware program and perform a full system scan via the App Center functionality. Additionally, you should also change all the passwords related to the device, remove unknown user accounts, get rid of unwanted apps, and set an access control list via Control Panel > Security > Security level.

However, if you could not remove HR ransomware from the system by using anti-malware, you might have to perform a full factory reset by going to the following path: Control Panel > Service > Maintenance > Configuration Backup > Factory Reset.

As for HR ransomware affected files, currently, there is no solution available, as the data gets corrupted. We suggest waiting till security researchers find out more about this data wiper.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove HR virus, follow these steps:

Remove HR using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove HR

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete HR removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove HR using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of HR. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that HR removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HR and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Your opinion regarding HR ransomware