Home / Spyware Help / Boris HT Ransomware Removal Guide

Boris HT Ransomware Removal Guide

by 0 Comments

Do you know what Boris HT Ransomware is?

Boris HT Ransomware is another malware based on the open source ransomware application known as Hidden Tear. It should encrypt some of the files located on the infected computer and leave a ransom note claiming the victim has to contact the infection’s developers if he wishes to unlock his data. The note is written in Russian, which could suggest either the threat was created by cybercriminals from Russia or it may target users who speak this language. In any case, we do not recommend emailing the hackers. Our computer security specialists have no doubt the response from them would demand to pay a ransom. The problem is, even though these people might promise to deliver tools needed to decrypt locked files they do not need to do so to take the paid ransom and so there is a risk the user could get scammed. For more information and tips on how to remove Boris HT Ransomware, we recommend checking the full article and the removal guide available below it.

According to our computer security specialists, Boris HT Ransomware could be distributed through malicious Spam emails, harmful file-sharing web pages, or unsecured RDP connections. Thus, either way, the malware’s appearance on the system might suggest the user was too careless when interacting with content from the Internet. Clearly, to avoid similar infections next time, it would be smart to keep away from possibly dangerous material received via the Internet.

The minute the threat infects the system it might try to connect to a remote server located on this address: testdecode77.000webhostapp.com/write.php?info. Looking at the servers name, makes us guess Boris HT Ransomware could be in the development stage or in other words the hackers might be still testing it. Another thing that makes us think this way is the fact the server continues to be unavailable for quite some time now. Nevertheless, it does not mean this cannot be fixed, and we cannot be one hundred percent sure no one will encounter this threat.

Our computer security specialists found out the malware targets only the files that have the following extensions: .dt, .DBF, .1CD, .doc, .docx, .xls, .pdf, .xlsx, .csv, .mdb, .sln, .sql, .zip, .rar. What’s more, after the encryption process it is supposed to add .[decode77@sfletter.com].boris or a similar extension at the end of locked files titles. Then, the user should notice a ransom note called README.txt located on his Desktop. The message from the Boris HT Ransomware’s developers should ask to contact them, but if you encounter this threat, we advise against doing so. It is most likely their answer would state you need to pay a ransom and without guarantees, the cybercriminals will hold on to their word, or you will be able to get your money back, paying it would be extremely risky.

There appear to be two ways to get rid of this malicious application. For starters, users could follow the removal guide available below to try to eliminate the malware manually. Should the task look too tricky, we recommend leaving it to a reputable antimalware tool of your choice.

Erase Boris HT Ransomware

  1. Click Ctrl+Alt+Delete simultaneously.
  2. Pick Task Manager.
  3. Take a look at the Processes tab.
  4. Locate a process belonging to this malicious program.
  5. Select this process and press the End Task button.
  6. Click Windows Key+E.
  7. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  8. Find a file that was executed when the system got infected, right-click the malicious file and select Delete.
  9. Look for a file titled README.txt, right-click it and select Delete.
  10. Leave File Explorer.
  11. Empty Recycle bin.
  12. Restart the computer.

In non-techie terms:

Boris HT Ransomware is a file-encrypting threat, which means it can make user’s files unusable or unreadable. The malware should encrypt user’s private files, although it may not be able to damage all of them since it was noticed the malicious application could encipher only a small amount of different file types. Still, it might affect a lot of data as it can lock various document types, archives, and so on. To reverse the encryption process, the user would need both a decryption key and a decryptor. We believe they should be offered to users who contact the malicious application’s developers as the displayed ransom note could request. The suggestion might seem tempting especially if the ransom is not too expensive, but you should ask yourself if you are willing to lose it in vain because there are no guarantees the hackers will deliver what they could promise. This is why we advise against paying the ransom and urge users to delete the infection with the removal guide available above or a reputable antimalware tool.