What is .AdolfHitler ransomware? And how does it carry out its attack?
.AdolfHitler ransomware is a new variant of the XiaoBa ransomware which was first discovered way back in October 2017. Apparently its developers decided to create a new and improved version of this threat as it was reported to be encrypting files and adding the .AdolfHitler to its targeted files. Nothing much has changed with this new variant save for the ransom notes and extension it uses to mark encrypted files.
After infiltration, .AdolfHitler ransomware will connect to its remote Command and Control server. From there, it launches its information gathering module on the infected computer. The information obtained about the system will then be sent to its remote server where it also downloads additional malicious files and objects that help it in carrying out its attack. Once these objects and files are added, it creates some values in the predefined registry sub-keys stored in the Windows Registry so it can run on every system boot, thus, making its attack persistent. After these system modifications, .AdolfHitler ransomware will use its built-in encryption module to carry out its main goal of encrypting files using RSA 4096 cryptography. The instant the encryption is completed it adds the .AdolfHitler extension to every affected file. It then drops its ransom note named “## DECRYPT MY FILE ##.bmp” in the desktop. This file will also be set as the new desktop wallpaper where you can see a message that says:
“All your source files are encrypted
I am very sorry that all your program source code files are encrypted!
Your file is not destroyed, it is only encrypted, and you can restore it after decryption.
Do not use third-party tools to decrypt files. This may result in file corruption. Please contact us to obtain the only valid decryption method!
Contact email: [email protected] for more content.
We use the powerful RSA-4096 asymmetric algorithm, please do not try to crack the file! Contact us it the rightway.”
After changing the desktop wallpaper, .AdolfHitler ransomware will open a program window labeled as “AdolfHitler”. The program window contains a black and white image of Adolf Hitler. It also plays music in the background. In addition, the program window also contains another ransom note stating:
“I am very sorry that all your files have been encrypted!
Your file is not destroyed it is only encrypted, and it can be recovered after decryption.
Do not use third-party tools to decrypt files. This is very likely to result in corruption. Please contact us for decryption!
Contact email: [email protected] for more content.
We use a powerful RSA-4096 (asymmetric algorithm), please do not try to crack the file! Contact us is the right choice.
About RSA asymmetric algorithms you can get more on Wikipedia: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
Only we can decrypt the file, don’t trust anyone else!
Please contact us within seven days. We can decrypt a file of no more than 250KB for free, contact us by e-mail and send the file to be decrypted. We will send a decrypted file later.”
If you are one of the unfortunate victims of this crypto-malware, paying the ransom demanded is certainly not advised as there is no guarantee that the crooks behind this threat will really give you the decryption tool to recover your files. The best thing you can do is to wait until security experts are able to come up with a free decryption key.
How does .AdolfHitler ransomware proliferate?
.AdolfHitler ransomware proliferate via spam emails where an obfuscated file is attached. It may be a PDF file, ZIP file, exe file or documents with macro scripts that are used to launch the malware’s attack. Morever, .AdolfHitler ransomware could also spread via malicious programs so you need to be careful when it comes to the installation of programs especially if it came from a third party source.
Obliterate .AdolfHitler ransomware by using the removal guide below as a reference. Follow each step carefully for a successful removal of the crypto-malware.
Step 1: Close .AdolfHitler’s ransom note displayed on your screen.
Step 2: Launch the Task Manager by simply tapping Ctrl + Shift + Esc keys on your keyboard.
Step 3: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to .AdolfHitler ransomware.
Step 4: After that, close the Task Manager.
Step 5: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 6: Under the list of installed programs, look for .AdolfHitler ransomware or anything similar and then uninstall it.
Step 7: Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step 8: Navigate to the following locations below and look for .AdolfHitler ransomware’s malicious components such as “## DECRYPT MY FILE ##.bmp”, [email protected]@_.htaa and xiaoba.exe, pdf_20180118.exe and other suspicious files, then delete all of them.
Step 9: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 10: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 11: Navigate to the following path:
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 12: Delete the registry keys and sub-keys created by .AdolfHitler ransomware.
Step 13: Close the Registry Editor and empty the Recycle Bin.
It is important to make sure that nothing is left behind and that .AdolfHitler ransomware is completely wiped out from your system. To do that, use the following antivirus program.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.