Heimdall Ransomware - How To Remove?

 

Heimdall ransomware is an open-source program for encrypting data created by a Brazilian coder Lenon Leite. Released on the 26th of October, 2016, this ransomware is written in PHP (Hypertext Preprocessor) server-side programming language, thus, the crypto-malware is aimed at encrypting the data of web servers. Since Heimdall ransomware virus is an open-source project, it was available on GitHub (now the source code of the program is removed), a web-based Git repository hosting service, under MIT (Massachusetts Institute of Technology) free software license. Even though, this PHP file-encrypting virus was created for barely investigative purposes, the cyber gangsters can take advantage of it.

heimdall-ransomware-2-viruses

The Details of Heimdall Ransomware

The payload of Heimdall crypto-virus is a 482-line PHP file. The GUI (Graphical User Interface) it displays is the following:

As you can perfectly see, there are two empty fields present in the GUI of Heimdall encrypting malware: one for the encryption password and the other for the decryption password. This ransomware uses the AES-128-CBC (Advanced Encryption Standard 128-bit Cipher Block Chaining) encryption. This encryption aims at the $_SERVER[‘DOCUMENT_ROOT’] directory, where the script runs. When the code of Heimdall virus, namely, the AES cipher, is encrypting the data, a log of the encrypted files is presented as shown in the image below.

The process of encryption can last from a couple of seconds to several minutes. Undoubtedly, this depends on the amount of the files stored on the server being compromised. Since Heimdall encrypter targets servers and not the separate data files, there are no specific file types aimed at – all of the files on the particular server will be encrypted, appending the Heimdall— prefix to their code:

The encryption agenda by Heimdall crypto malware is available as a video presentation on Youtube. Follow the link https://www.youtube.com/watch?v=AQNPDyiW1dc to look it through.

What Can We Expect in the Future as Regards Heimdall Ransomware?

Despite the fact that the source code of Heimdall ransomware was removed from GitHub, it is very probable that some beginner hackers have already downloaded the first full version. You do not have to possess the most vivid imagination to understand what can happen next. The ransomware can begin to be spread using various social engineering techniques such as fake spam e-mails, fake downloads, etc. In spite of the fact that the type of ransomware programs, which target servers, have never been very popular, as they have not been very successful because of the hard work of the administrators, who back the servers up on a regular basis, it can not be denied that Heimdall’s code will mutate so that it can pose more threat.

What are the General Rules for Ransomware Prevention and What to do in the Face of the Infection?

Never ever miss to back your data up, whether it is the data you store on the local drives of your PC or it is the data of your web server/-s. Download and install the antivirus software on your computer, which is licensed, certified and has already received good reviews from the users. Besides, try to visit the websites of trust, bypassing such domains as porno sites, torrent domains, etc.

Even if your device has become infected with ransomware, there are still better solutions than that of paying the ransom. If you back your data up, you will not need to use any extra software except for the trusted malware removal applications such as Reimage, Spyhunter or Malwarebytes to remove the ransomware from the computer’s system. There are also the manual removal instructions, developed by our security researchers supposing Heimdall ranomware was being spread and your device was infected with it. As a rule, once a ransomware virus has been released, the cyber security analysts publish their decryptors. There is also data recovery software for recovering your lost data, in case you do not have or cannot use your backup.

How to recover Heimdall Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Heimdall Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Heimdall Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Heimdall Ransomware. You can check other tools here.


Step 3. Restore Heimdall Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Heimdall Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Heimdall Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
November 14, 2016 10:02, July 20, 2017 09:10
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *