What is Hc7 Planetary ransomware? And how does it implement its attack?
Hc7 Planetary ransomware or simply known as Planetary ransomware is a new variant of the Hc7 Planetary ransomware. This new variant encrypts its victims files and appends the .PLANETARY extension on each one of the targeted files, which according to experts are files with the following formats:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
After the encryption, Planetary ransomware opens a ransom note in a text file named “RECOVERY.txt” which states:
“ALL FILES ARE ENCRYPTED. TO RESTORE, YOU MUST SEND $700 EQUIVALENT FOR ONE COMPUTER
OR $5,000 FOR ALL NETWORK
PAYMENTS ACCEPTED VIA BITCOIN, MONERO AND ETHEREUM
BTC ADDRESS: [bitcoin_address]
MONERO (XMR) ADDRESS: [monero_address]
CONTACT US WHEN ETHEREUM PAYMENT INFORMATION
BEFORE PAYMENT SENT EMAIL [email protected]
ALONG WITH YOUR IDENTITY: [base64_encoded_computer_name]
INCLUDE SAMPLE ENCRYPTED FILE FOR PROOF OF DECRYPT
NOT TO SHUT OFF YOUR COMPUTER, UNLESS IT WILL BREAK”
Developers of Planetary ransomware allow its victims to decrypt a single file for a set price or the entire network for a different price. As you can see on its ransom note, the current ransom amount demanded is $700 per computer and $5000 for the entire network of infected computers.
What makes this ransomware different from its predecessor and other ransomware threats is that it accepts Ethereum as a ransom payment which might be the first ransomware to do so. As we all know, most ransomware makes use of Bitcoins for the ransom payment while some opt for Monero. As of now, Ethereum is selling for over $1,200 per coin and is rising in price and popularity which is why it’s not so surprising that cybercriminals are now accepting it as a payment.
Even though their other cryptocurrency that offer more privacy and are less traceable just like Monero or Verge, there is a feature in Ethereum known as smart contract feature that could make ransomware payment more efficient. Meaning to say, the smart contract provides a guarantee for ransomware victims that once they send the payment, the cybercriminals would really decrypt the files. So the likelihood of other ransomware threats of using this cryptocurrency just like Planetary ransomware did is slim to none due to its complexity.
How does Planetary ransomware proliferate?
Planetary ransomware proliferates by its developers hacking into poor remote desktop services just like what they did with the Hc7 Planetary ransomware. Once they gain access to the network, attackers will install Planetary ransomware manually on all the PCs they can get their hands into.
Refer to the removal guide provided below to terminate Hc7 Planetary ransomware and all the malicious files it created.
Step 1: Restart your PC into Safe Mode with Networking.
Step 2: Once your computer is done rebooting, tap Ctrl + Shift + Esc to pull up Windows Task Manager and look for Hc7 Planetary ransomware’s malicious process and end it.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Hc7 Planetary ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for Hc7 Planetary ransomware’s malicious components such as [random].exe as well as all the copies of RECOVERY.txt and then delete all of them.
- %ALLUSERPROFILE%\Start Menu\Programs
- %APPDATA%\Microsoft\Windows\Start Menu\Programs
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
Step 10: Delete the registry keys created by Hc7 Planetary ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Wiping out Planetary ransomware and its malicious processes is not enough – you have to ensure that all its related files are removed from your computer. To do that, you must follow the advanced removal guide below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.