HAHAHA Ransomware

Posted: March 20, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	5

First Seen:	March 20, 2017
Last Seen:	November 28, 2019
OS(es) Affected:	Windows

The HAHAHA Ransomware's author, apparently, is not among the most skilled or experienced cyber crooks since they've opted to use an open-source project as the foundation of their threatening product. The HAHAHA Ransomware is based on CryptoWire Ransomware, an open-source ransomware project that is meant to have an educational purpose but has already been misused to craft a crypto-threat that is able to cause a lot of damage to the files of its victims. The HAHAHA Ransomware is only the latest addition to the list of CryptoWire variants such as VapeLauncher and Lomix Ransomware. One of the peculiar things about the HAHAHA Ransomware is the distribution technique its author has opted to use. Instead of relying on the classic e-mail spam or taking advantage of a popular exploit kit, the HAHAHA Ransomware is spread as fake hacking tools such as Steam Cash or BTCHacker. Just like the operator of the Kirk Ransomware, the HAHAHA Ransomware's author also targets people in the hacking branch by spreading their ransomware as a fake hacking tool.

The HAHAHA Ransomware's author has not modified the CryptoWire's default window too much, and the only major change is seen in the field that stores the ransom message. The cyber crook behind the HAHAHA Ransomware demands $500 from victims and asks them to send a message to hugoran1@gmx.com when the payment has been completed. The message promises that all users whose payment has been verified will receive a decryption key that can be entered in the HAHAHA Ransomware's lock screen to restore the locked files. In addition to this, the HAHAHA Ransomware's message warns victims that their files would not be restored if they opt to close the window or run an anti-virus utility to eliminate the threat. There are two methods users can use to recognize the files that the HAHAHA Ransomware has locked – their names will be changed to include the '.encrypted' extension before the original file extension (e.g. 'picture.png' will be renamed to 'picture.encrypted.png') or they'll be listed in the HAHAHA Ransomware's main window that includes a list of all encrypted files. If users close the main HAHAHA Ransomware window, they can find the text copy of the ransom message in a file called 'TEXT FILE.txt' on their desktops.

Yet Another Undecryptable Ransomware Based on CryptoWire

Unfortunately, the CryptoWire Ransomware's encryption appears to be unbreakable, and this means that the files locked by the HAHAHA Ransomware are impossible to recover currently. The author of the original project states that CryptoWire is meant to erase and replace files multiple times, therefore preventing 3rd-party file recovery utilities from having any chance of restoring the data of its victims. Although a free decryptor is not available, the victims of the HAHAHA Ransomware should not believe that their files will be restored if they pay the ransom sum. There's no guarantee that the author of the HAHAHA Ransomware will not just take their money and then cease all communication with the victims.

HAHAHA Ransomware

Threat Metric

Yet Another Undecryptable Ransomware Based on CryptoWire

Leave a Reply