HiddenBeer ransomware - How to remove

hiddenbeer ransomware main ransom note

HiddenBeer ransomware is just another HiddenTear project variant which was detected and reported by the malware expert GrujaRS On Twitter October 23rd, 2018. This cryptovirus has brought some attention because of its flamboyant features, despite being made from one of the most widespread open-source ransom demanding virus examples. Although working principles and encryption stayed the same, crooks added a little fun twist, which you will find out at the end of this article. 

Just like EbolaRnsmwr, IT.Books or Qinynore viruses, HiddenBeer ransomware still infects computers and locks their files expecting the ransom payment made in Bitcoin. Paying hackers Is never recommended, no matter how little is the amount, since they have tendencies to take the money but not provide the promised decryptor. Luckily, HiddenBeer cryptovirus is mainly based on the widespread sample and can be potentially unlocked with a special tool for free. So if you are looking for the solution, you came to the right place.

What does the HiddenBeer ransomware do

If you have some basic knowledge about malware and do recognize the word ransomware, HiddenBeer ransom demanding virus will not surprise you with the way it works. Once the threat gets into your Windows OS (does not infect Mac) it will start tons of background processes which are invisible to the user, until the infection is finalized. This includes adding malicious files to the important System directories, modifying registry keys so that HiddenBeer persistently would show up each time you turn on your PC, looking for target files with certain extensions that can be encrypted and actually encrypting them and marking with .beer name string. (Malware and cryptography).

hiddenbeer virus ransom note and decryption screen

The special encryption algorithm HiddenBeer ransomware uses is the fast AES cipher, which is used by HiddenTear based creations. It is applied to any personal data that is not the System file so that the computer would still run, present the ransom note, but would not give an access to the most precious and important files for the user. Therefore, all the pictures, videos, documents, e-books and the rest of your virtual treasure will be inaccessible and marked (‘bestbook.epub’ will turn into ‘bestbook.epub.beer’).

On top of that, to really make sure that the victim understands what is happening and gets shocked even more, HiddenBeer virus creators replace the default desktop picture with their own and drop a ransom note named ‘@FILES-HELP-[your-computer’s-name].TXT’. It says:

Your files have been encrypted.
Why have they been encrypted?
To help ensure your security.

To get them decrypted by our specialists,just send $100 worth of Bitcoin(BTC), to: 33Lf7BrDXwNBMM4ZVg5dMQg1Bvuwzd1VQm.

Afterwards send a Email to “[email protected]” with your
computer name and transaction data.
Once you have your decryption key, Use it in the file decrypter.
If it isn’t open, goto your Desktop and run “@FILE-DECRYPTER.exe”

‘@FILE-DECRYPTER.exe’ is another interactive file which is also dropped on the desktop and show exactly the same message about the required $100 dollar payment in Bitcoin (0,016BTC) to get the locked files back. That compared to the Average of ransomware requested cryptocurrency is a fairly low amount. 

Another interesting fact that cybersecurity professionals found was the Kim Jong-un and Moon Jae picture called ‘Un’, which is placed in particles on the desktop. For the full visuals, you should check GrujaRS video, where the researcher demonstrates real-time HiddenBeer ransomware infection. 

Hopefully, you are convinced now that you need to get rid of the HiddenBeer virus as soon as possible, and if not check the VirusTotal.com analysis, which reflects how malicious this ransomware is and that most antivirus programs detect it.

How does HiddenBeer virus disseminate

There are tons of various ransomware spreading methods, but judging from all the features and simplicity of HiddenBeer virus, it seems that the main distribution comes from the infected MS Word files, which are sent out to victims via email. Crooks skillfully use Social engineering tactics to create a short message which orders user to open the attached document for more information which requires immediate attention.

Usually, such documents end up being modified to look like an invoice, health facility records, court orders, tickets, complaints, resumes, offers, government notifications and etc. It will be altered to look as usual as possible, so the victim would open it without any suspicion. But the file only infects through Macros, which target is asked to enable to review MS Word content. That click initiates the HiddenBeer virus installation and soon enough the whole system gets compromised.

How to remove HiddenBeer ransomware and decrypt files

At first, this typical HiddenTear ransomware variant can be perceived as any other sample, yet there is an interesting feature that shows up after the decryption. But before unlocking .beer marked files, you must successfully remove the HiddenBeer virus or else you’ll double-encrypt all the files and the recovery will not be possible. Best removal without damaging files can be achieved by majority trustworthy antivirus programs.

We recommend our readers Spyhunter because these security tools have already lived up to their name and been very helpful and efficient with tons of other malware infections. Anti-spyware software sometimes is the only solution for those who don’t have backups, doubt their technical knowledge or want to save time.

hiddenbeer ransomware desktop changes

Once Windows is free from HiddenBeer ransomware, then you can move on to the next step – .beer encrypted file restore. That could be done best with a special Decryptor software. Since HiddenBeer virus is a HiddenTear variant, the common unlocker should be enough to access your data again. This is where you will see the strange phenomenon caused by the threat. The ‘YOUR FILES ARE ENCRYPTED’ desktop background, which is made out of the particles of a picture of North Korean leader Kim Jong-un and South Korean President Moon Jae, change into a cute kitten cover. This nice touch is completely unnecessary and is the proof that HiddenBeer ransomware creators did not take this virus very seriously.

If for some reason the decryptor did not work, please, take a look at our instructions below, how to restore encrypted data from the Shadow Volume copies and with special recovery software.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to restore your Windows after HiddenBeer virus infection

Those who want to avoid all the mischievous visuals and consistently create backups, can simply use our instructions below and restore their computer to the state right before the HiddenBeer ransomware infection. However, if you are not sure whether you have proper backups or if you will be able to follow instructions thoroughly, then it is best to just go with an automatic removal software.

How to recover HiddenBeer ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before HiddenBeer ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of HiddenBeer ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to HiddenBeer ransomware. You can check other tools here.  

Step 3. Restore HiddenBeer ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually HiddenBeer ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover HiddenBeer ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *