HETS ransomware turns all personal files useless by encrypting them with RSA keys
Contents
HETS ransomware is a dangerous computer virus that encrypts all files on a victim’s computer or network using RSA cryptography keys. During the cyberattack, the malware appends .hets file extension to modified files and leaves threatening _readme.txt notes throughout the computer. The primary goal of the virus is to extort the victim by forcing him to pay a large sum of money (the ransom of $490 or $980) to the criminals. The virus originates from the STOP ransomware family, also known as DJVU, and is the 189th version of it.
The ransom notes left by HETS ransomware instruct the victim to contact the criminals via provided emails: datarestorehelp@firemail.cc or datahelp@iran.ir. They suggest sending one small file for decryption to prove that data recovery is actually possible.
The ransom note also informs that the price of the decryptor varies on how fast the victim manages to collect the specified sum of money, buy Bitcoins and transfer them to the criminals’ wallets. If the victim does this in 72 hours, the ransom price is $490. Otherwise, it increases to $980.
In addition to the complete corruption of valuable data, the ransomware also installs another dangerous virus on the computer – Azorult Trojan. This Trojan is capable of stealing private information such as passwords, browsing history and similar data. Therefore, if you have become a victim of such a cyber attack, we suggest you remove HETS ransomware and related malware immediately using instructions provided below and then proceed to read about possible further actions.
Threat Summary
Name | HETS file virus |
Type | Ransomware (STOP/DJVU virus variant) |
Version | v0189 |
File marker | .hets extension |
Encryption method | RSA |
Ransom note | _readme.txt |
Ransom demand | $490-$980 |
Contact emails | datarestorehelp@firemail.cc or datahelp@iran.ir |
Distribution | Software cracks, keygens, and other illegal or malicious downloads |
Installs | Azorult Trojan |
Decryption | Impossible at the moment. Only victims of offline key can expect decryption tools in the future |
Removal | Remove using trustworthy antivirus software |
Essential information regarding .hets file decryption
HETS ransomware uses either online or offline keys to corrupt victim’s files or both. Victims whose files were corrupted by the offline key can hope to decrypt their files, whereas victims of the online key attack have nearly zero chances to restore their files without paying the ransom.
To determine whether you can hope to decrypt at least some of your .hets files in the future, you need to determine which type of key was used on your files. Here’s what you need to do.
How to determine which key was used to encrypt your files
Although you can check the _readme.txt file for personal ID, we recommend you to go for an alternative route:
- Go to C:\SystemID\.
- Find PersonalID.txt file which contains all IDs used for data encryption.
If you find that one or more IDs end with t1, you will successfully restore some of your files using STOP decrypter as soon as its developer Emsisoft updates it.
However, please note that you must be patient while waiting for the decryption tool updates. Victims of some previous versions of this ransomware, including ZOBM, MSOP, and others are also waiting for updates as the offline key doesn’t show up very quickly.
FAQ
The attackers actually can recover the files if they want to as they are the only ones who have the private keys required for data decryption.
However, it is nearly impossible to crack RSA encryption as explained here. The only hope to recover files in the future is if the attackers get caught and their databases with private keys seized.
Please check your IDs in C:\SystemID\PersonalID.txt. If any of the IDs end with t1, you might succeed in restoring files in the future. Please note that STOP decrypter needs to be updated with the offline key (the security researchers needs to find it first) in order to start using it for HETS ransomware decryption.
Ransom-demanding virus hides in illegal online downloads
The primary distribution vector for DJVU ransomware variants like HETS is untrustworthy downloads. To clarify, the developers of this malicious virus tend to bundle it with various peer-to-peer downloads that can activate paid software for free. In technical terms, such files are known as software cracks or keygens.
Therefore, if you have discovered that all your files have .hets file extension and cannot be opened, chances are you have recently downloaded an illegal activation tool from some shady Internet website.
Downloading suspicious files from the Internet is never safe. Ransomware is one of the biggest hazards you can run into. Besides, downloading similar files can also land various spyware and malware variants, including adware, Trojans, Crypto-miners and even more.
Remove HETS ransomware virus safely
HETS ransomware removal is an essential task regardless of the victim’s computing experience. We kindly suggest using these free instructions along with an antivirus software of your choice to eliminate the said malware from the system.
Once you remove HETS file virus along with Azorult from your operating system, you should immediately change your passwords. You need to take actions to protect your private information as soon as possible due to Azorult Trojan behavior while it was on your computer system. Next, we recommend you to check for updates in this guide regarding DJVU decryption.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
HETS Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove HETS Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Gaurav says
Yar please find any solution quickly for files encrypted with .hets
its so important
wael says
my encrypted file extention is .zobm
how can it be decrypted ?