7h9r Ransomware

7h9r Ransomware could be your worst nightmare if it hits you unexpectedly. By “unexpectedly” we mean that you do not have a recent backup copy of your most important files, including your photos, videos, documents, and program files, which could have catastrophic consequences. This ransomware encrypts your files in a very short time and does not even display any ransom note for you to realize this. So you will notice its presence the “hard way,” i.e, when you try to open an encrypted file and you fail to do so. This vicious program has only one purpose: To extort money from you for the alleged recovery of your files in return. However, experience shows that such criminals rarely deliver as promised. Therefore, before deciding to pay the ransom fee, you should consider a couple of things. For example, are your files worth the demanded fee, do you have a backup copy, what happens if the infection loses contact with the C&C server? We believe that it is essential that you remove 7h9r Ransomware unless it deletes itself after the encryption.

This dangerous ransomware has been mostly found spreading as a malicious file attachment in spam e-mails. This is in fact the most frequently used method to distribute ransomware programs over the web. Most people are rather incautious when it comes to opening e-mails and downloading attachments. These unsuspecting users can easily be tricked into believing that they just received a very important e-mail that they need to check as well as open the attachment. This attached file is indeed a malicious executable file that is usually disguised as a .doc, .pdf, or an image file. Since the icon of this file is also deceiving, you may really think that it is really a text document, for instance. But before you get to the attachment itself, these criminals need to make you want to open this spam mail. They use different tactics to achieve that.

First of all, the sender of the mail will be someone you trust or find credible, such as a well-known company, the police (e.g.: speeding ticket), and your Internet provider. Second, the subject of this spam will make your urge stronger as it contains vital confirmation that this is an important mail with important information. This subject can be a reference to an invoice, such as an overdue invoice or an error with an invoice, but it can also be about a mail delivery error; whatever that could draw your attention to this spam e-mail. So if you have been infected with 7h9r Ransomware, it is most likely that you let this beast free by opening such an e-mail. Even if you remove 7h9r Ransomware now, you should know that your files will not be decrypted. Yet, it is what you should do if you want to use your computer safely again. We recommend that you be more careful with clicking on mails in your inbox since dangerous spam mails can evade your spam filter and end up there. Make sure that you only open mails that you expect to get.

This malware infection works very fast. We have found that 7h9r Ransomware uses the AES algorithm to encrypt the following file extensions: *.3gp, *.7z, *.apk, *.avi, *.bmp, *.cdr, *.cer, *.chm, *.conf, *.css, *.csv, *.dat, *.db, *.dbf, *.dbx, *.djvu, *.doc, *.docm, *.docx, *.epub, *.fb2, *.flv, *.gif, *.gz, *.ibooks, *.iso, *.jpeg, *.jpg, *.key, *.md2, *.mdb, *.mdf, *.mht, *.mhtm, *.mkv, *.mobi, *.mov, *.mp3, *.mp4, *.mpeg, *.mpg, *.pdf, *.pict, *.pkg, *.png, *.pps, *.ppsx, *.ppt, *.pptx, *.psd, *.rar, *.rtf, *.sav, *.scr, *.swf, *.tbl, *.tif, *.tiff, *.torrent, *.txt, *.vsd, *.wmv, *.xls, *.xlsx, *.xml, *.xps, *.zip, *.ckp, *.java, *.py, *.cpp, *.asm, *.c, *.js, *.cs, *.php, *.rb, *.rbw, *.dacpac, *.db3, *.dcx, *.mrg, *.sql, *.sqlite, *.sqlite3, and *.sqlitedb. All the encrypted files will get a ".7h9r" extension. This process can take as little as one or two minutes since this encryption algorithm is indeed a part of the Windows operating system. The decryption key gets also encrypted, but this time by one of the RSA algorithms. This makes it practically impossible to decrypt your files without the private key generated by the RSA encryption. As far as we know, there is no available free tool on the web that could recover your files.

The main difference from most of the ransomware infections is that 7h9r Ransomware does not display any ransom notes, i.e., it does not change your desktop wallpaper or shows an always-on-top kind of pop-up window either. Neither does it block your system files. In fact, it is possible that it will remove itself from your system as silently as it entered. The only way for you to notice its vicious job if you find the text file called "README_.txt" on your desktop or in any of the affected folders where it gets copied. Or, you notice the new extension when trying to run a file but you fail to do so. From this text file you learn that the only way for you to be able to recover your files is to contact these criminals via a given e-mail address (7h9r341@gmail.com). If you do so, you can send a file to be decrypted for free and you will also receive instructions how to transfer the 100 USD ransom fee. The most usual demand is to pay in Bitcoins to a provided Bitcoin address. However, we do not recommend paying this fee because there is no guarantee that you will really get the private key to decrypt your files. Of course, it is all up to you. But remember that there could be technical issues as well, such as the infection losing communication with the Command and Control server, which can result in your not receiving the private key after you pay the ransom fee.

The only savior in this situation is a backup copy of your files on a removable drive. But before you transfer the clean files back to your PC, you should make sure that you remove 7h9r Ransomware or that it has done so without leftovers. We have included a short guide for you to double-check if this malicious ransomware is still on your system. If you find the .exe file you downloaded from the spam e-mail, you should delete it right away. If you want to avoid similar attacks in the future, it would be best to invest in a reputable anti-malware program that could easily and automatically evade such intrusions.

How to remove 7h9r Ransomware from Windows

1. Press Win+E to open File Explorer.
2. Locate the malicious .exe file in the folder where you downloaded it.
3. Delete the .exe file.
4. Locate all "README_.txt" files and bin them.
5. Empty your Recycle Bin.
6. Restart your PC.