HR ransomware (Virus Removal Guide) - Free Instructions

HR virus Removal Guide

What is HR ransomware?

HR ransomware is a data locker that attacks Network-attached storage (NAS) devices via firmware vulnerabilities

HR ransomwareHR ransomware is a data wiper that corrupts all the files on NAS device but asks for ransom for the recovery key

HR ransomware is malware that was first identified by a security researcher Amigo-A in early March 2020. While its main goal exactly the same as other file locking viruses – to make victims pay for the decryption tool, this ransomware's operation principle is a bit different – it only targets NAS (Network-attached storage) devices – so far, only Zyxel Nas326 model was seen being infected in the wild. Researchers believe that HR ransomware is injected into the machine using a firmware vulnerability that allowed the attackers to obtain root access.

HR ransomware developers ask users to pay 0.113 BTC to the 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX Bitcoin wallet and then email them via to allegedly retrieve the decryption key that could unlock data. All the information is provided inside RANSOM_NOTE.txt file, which serves as message from the virus authors. Paying the ransom may be completely useless due to a different type of file modification method in comparison to regular ransomware infections.

Name HR ransomware
Type Data wiper, ransomware
Distribution Malicious actors spread the infection via NAS device' Zyxel firmware vulnerability – escalate privileges and then plant the malware
File extension All data located on the NAS storage is appended with .HR or file extension
Ransom note RANSOM_NOTE.txt is left behind after file “encryption” process
Contact Crooks ask victims to contact them via the after the payment is made
Ransom size 0.113 BTC
Bitcoin wallet 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
File recovery HR ransomware corrupts data, resizing each file to 77kb, so recovery software will not work. Even the attackers themselves may not have the working copies of files, so paying ransom is highly discouraged
Malware removal Removing malware from NAS device is crucial in order to prevent it from encrypting the incoming files. For that, use anti-malware software
Recovery If your system malfunctions after malware termination, scan it with FortectIntego

Unlike regular ransomware viruses that target desktop computers running Windows, HR ransomware goes for NAS devices. In the wild, most of the infections occur on regular machines and their connected networks, although there have been other file-locking malware that was targeting NAS systems before, such as Muhstik, DecryptIomega, and others. Similarly to HR ransomware, these infections were proliferated with the help of software vulnerabilities.

HR ransomware targets the most common file types on the NAS system, including .jpg, .doc, .txt, .dat, .ppt, .mp4, etc., in order to cause maximum damage to victims. However, instead of encrypting files with a secure encryption algorithm,[1] HR virus damages files by replacing their content with a string sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf.

Each of such compromised files, regardless of its original size, turns into a 77kb size file and is appended with .HR or extension. Despite that, researchers believe that the attackers may transfer the original files to their own servers, which may make the redemption possible. No documented recovery was yet tracked, although the Bitcoin wallet used by attackers already has two transactions.[2]

After the encryption process, HR ransomware victims can find the following ransom note:

The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send “PAID” button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.


Unfortunately, due to the nature of the attack, believing cybercriminals should not be an option. Even if HR ransomware authors transfer all the healthy data to their own servers, it is important to note that their storage will run out of space eventually (NAS devices typically store a large amount of data).

HR ransomware virusHR ransomware is a type of malware that attacks NAS devices via firmware vulnerabilities

Nevertheless, because many users may be unaware of these circumstances, HR ransomware developers may use it as a means for blackmail. Those who pay the ransom may end up scammed. Unfortunately, the affected files located on the device are damaged, and no recovery software will retrieve them.

The best advice would be to remove HR ransomware from the machine to prevent the incoming data compromise. For that, victims should employ powerful security software and perform a full system scan. In case your system is malfunctioning even after HR ransomware removal, repair it with FortectIntego.

Vulnerabilities allow malware to penetrate systems automatically

Software vulnerabilities are essentially “weak spots” within the code that can be used for various purposes. By exploiting these flaws, malicious actors can escalate privilege, disable security software, implant malware, and perform many other actions (depending on the severity of the vulnerability).

Vulnerabilities that are exploited in the wild are called Zero-day[3] flaws, which means that they have not yet been fixed by the responsible party (essentially, developer of the software). Ransomware that attacks NAS devices is typically spread by using zero-days, so there is no way to mitigate the attack vector until the developer fixes the flaw and then releases a security patch.

Therefore, we strongly advise not using Zyxel Nas326 for the time being until the vulnerability is patched. As a minimal precautionary measure, the stored data should be backed on another storage device until the flaw is fixed.

HR ransomware encrypted filesHR ransomware changes the size of each of the file to 77kb and replaces the contents with sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf, corrupting data in the process

Delete the HR ransomware infection from your NAS device

Since HR ransomware virus is a relatively new infection, not much is known about its operation or even HR ransomware removal methods. Therefore, we first suggest to install a reputable anti-malware program and perform a full system scan via the App Center functionality. Additionally, you should also change all the passwords related to the device, remove unknown user accounts, get rid of unwanted apps, and set an access control list via Control Panel > Security > Security level.

However, if you could not remove HR ransomware from the system by using anti-malware, you might have to perform a full factory reset by going to the following path: Control Panel > Service > Maintenance > Configuration Backup > Factory Reset.

As for HR ransomware affected files, currently, there is no solution available, as the data gets corrupted. We suggest waiting till security researchers find out more about this data wiper.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of HR virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove HR using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of HR. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that HR removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HR and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Protect your privacy – employ a VPN

There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

No backups? No problem. Use a data recovery tool

If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.

If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions