Hades666 Cryptovirus - How to remove

Hades666 is a new cryptovirus, a member of the Maoloa family ransomware. Hades666 was named after the extension that it gives the encrypted files. So, if you notice that you can’t open your images, documents, songs, or other files anymore and that they’ve got the string “.Hades666” attached to their names, unfortunately, you’re a victim of this virus.

A text note called HOW TO BACK YOUR FILES.txt is left on the victims’ computers after the virus is done locking all the files:

YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
To recover data you need decrypt tool.
To get the decrypt tool you should:
1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool!
4.We can decrypt few files in quality the evidence that we have the decoder.
DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:
[email protected]
ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:
—

The ransom text is very similar to the one by Mr-X666. Besides the text file, a new file with a long extension of seemingly random characters is placed in each affected folder. The [email protected] email address mentioned in the note is used not just by Hades666, but a few other cryptoviruses of the same family: Ares666, Persephone666. This is common for ransomware families and probably means that the virus is being distributed by the same person/group.

How does Hades666 work?

Ransomware is distributed through malicious spam emails, fake installers and updaters, pirated files, automatically downloaded from malicious websites. Targeted attacks are performed by breaking in through Remote Desktop. Avoiding all of these is nearly impossible, but a good resistance can still be offered. You’ll reduce your chances of being infected with Hades666 and other ransomware if you take these steps:

• Secure, severely restrict or even disable your Remote Desktop connection so that outsiders can’t even attempt to connect through it.
• Update your programs, install all the latest security patches, don’t delay it for more than a few days.
• Keep your antivirus tool active and scan new files with it before you open them.
• Avoid shady websites that display pop-up ads, open new tabs, or redirect you unexpectedly. Those types of websites are more likely than others to show malicious ads.
• Most importantly, keep up-to-date backups of your files.

Cryptography is a very useful technology and it’s unfortunate that the developers of Hades666 are abusing it to extort people of money. Cryptocurrencies also get a bad reputation because they’re so widely used by criminals: Adame, Eris, in fact, nearly all ransomware viruses demand their ransoms in cryptocurrency. In the case of Hades666, a cryptocurrency will guarantee that the transactions are irrevocable and no one can get back their money, which varies among the different strains of ransomware but tends to be from a few hundred dollars to a few thousand, depending on whether the virus is targeted at businesses or individuals. Understandably, some businesses can’t afford to lose their data and do pay, but that is risky and should be the absolute last resort.

How to restore Hades666 files

There are three ways to do this:

• Pay for decryption to the criminals who did it.
• Wait for Hades666 to be cracked and a free decryptor to be released.
• Restore the data from a backup or previous versions.

Unless you surely have backups, it’s possible for none of the three above ways to work. But you should definitely try to avoid paying the ransom. Not only would that be financing online extortion — a criminal activity — but it is not guaranteed to work, and there is no way to get your money back if the extortionists fail to provide you with the decryption tools.

Before you do anything, if you don’t want to lose the locked files, make a backup. Then you can mess with the Hades666 files without fear of irreparably damaging them.

Stop Hades666 from doing anything — use a competent antivirus program, such as Spyhunter, to catch malware on your system. It’s likely that Hades666 isn’t the only malicious program. Afterward, you can restore your files from backups, System Restore, or the other ways to get back your data without the fear that Hades666 will encrypt it again.

Automatic Malware removal tools

How to recover Hades666 Cryptovirus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Hades666 Cryptovirus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Hades666 Cryptovirus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Hades666 Cryptovirus. You can check other tools here.  

Step 3. Restore Hades666 Cryptovirus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Hades666 Cryptovirus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Hades666 Cryptovirus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.