Hlas Virus Ransomware – What are “hlas” & “_readme.txt” files?

About Hlas Ransomware:

NomVoice virusVersion0878File extension.voiceContact[email protected], [email protected]FamilyRansomware STOP/DjvuNote_readme.txtID Hors ligne–Last appearance08 September 2024AlgorithmSalsa20 Encryption. If Hlas cannot establish a connection with the criminals’ server before starting the encryption process, it uses the offline key. This key is the same for all victims(!), which will allow decrypting .hlas files in the future.RansomFrom $499 to $999 (in Bitcoins)Damages

1. ⮞ Can delete shadow copies of the volume to make the victim’s data restoration attempts impossible;
2. ⮞ Adds a list of domains to the HOSTS file to block access to certain security-related sites;
3. ⮞ Installs a password-stealing trojan, such as Redline StealerVidar Stealer, Smokeloader, Azorult and others;

DistributionThird-party downloaders, installers, peer-to-peer networks, RDP exploits, etc.RSA public key—–BEGIN PUBLIC KEY—–
—–END PUBLIC KEY—–Other variants

Qual Ransomware (.qual encrypted files)

Waqa Ransomware (coded files .waqa)

Watz Ransomware (.watz encrypted files)

Hlas ransomware is always something that is better to avoid. This virus does a lot of harm, not only to your files, but also to your wallet. Moreover, it also infiltrates your computer configurations and weakens your system. Thus, it is better to prevent its appearance than to think about how to deal with the consequences of its activity.

Almost all cases of Hlas virus injection are related to the use of “free” programs. These applications are supposed to be purchased, but hackers remove the license verification so that they can be launched and used without any payment. By processing the license verification, hackers can easily add malware to the program code. Which one – depends only on how much they are paid for it. Hlas ransomware is another example of this type of virus.

Salsa20 is the encryption algorithm used by this virus for file encryption. It is not the strongest among the existing ones, but its strength is greatly increased by the key stored on the remote server. Since the ransomware administrators control the servers, there is no way to gain vital access other than by paying the ransom. Brute force is useless due to the large number of possible keys (>1*10^78). File decryption tools may give you a chance, but the opportunity to recover your files is low.

Encryption process

The Hlas ransomware uses the Salsa20 encryption algorithm. It’s not the strongest method, but it still offers an overwhelming number of possible decryption keys. To crack the encryption key, which is 78 digits long, you’ll need 3.5 unvigintillion years (1*10^65), even if you’re using the most powerful regular computer. Quantum computers can do slightly better, but they’re still too slow to recover your files while you’re alive.

The exact encryption algorithm is as follows: the malware scans each folder for files that it can encrypt. Then, when it finds the target, it makes a copy of it, deletes the original, encrypts the copy and replaces it with the deleted original. This procedure is done to avoid the situation when you have already opened the file, which would prevent the ransomware from reading it due to Windows restrictions. To each encrypted copy, the virus adds the specific extension – “.voice“. Then the ransomware creates a file _readme.txt in the folder where the encrypted file is located, then move to the next folder.

Such encryption method can be exploited for file recovery. Since the original file is deleted, you can try to recover it using file recovery tools. The less time has passed, the higher the chances of recovering your files, so hurry up!

Another specific element that can help you use the files even after encryption is the fact that the ransomware Hlas only encrypts the first 150KB of each file. Therefore, you can try to launch a large file, such as a video or music, without encryption. This similar functionality also works with other ransomware families – Dharma, Conti and Makop encrypt the same 150 KB.

Ransom note: _readme.txt

The ransom note is the same for the entire ransomware family. In fact, it is one of the main signs of the family to which the ransomware in question belongs. Here is the typical note of the STOP/Djvu family:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Do not ask assistants from youtube and recovery data sites for help in recovering your data.
They can use your free decryption quota and scam you.
Our contact is emails in this text document only.
You can get and look video overview decrypt tool.
Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that’s price for you is $499.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
****************

External links:

Indicators of Compromise (IOC)

File name	MD5	File size