Hc7 Ransomware

Posted: December 4, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	9,409
Threat Level:	2/10
Infected PCs:	1,267

First Seen:	May 5, 2022
Last Seen:	October 14, 2023
OS(es) Affected:	Windows

The Hc7 Ransomware is an update of the HC6 Ransomware, a Trojan that encrypts the files on your PC so that you can no longer open them. A Hc7 Ransomware infection also will generate a text message that demands that the user pay Bitcoins for unlocking their media, although you may be able to restore your data with free decryption programs. If your security protocols don't block the Hc7 Ransomware immediately, have a dedicated anti-malware product remove the Hc7 Ransomware before using either backups or freeware solutions for recovering any locked files.

A Simple Patch in Ransoming Demands

Already, the business sector-targeting the HC6 Ransomware is starting to see a replacement with a possible successor, the Hc7 Ransomware, which delivers all of the same attacks, but updates its ransom-related data. While malware experts aren't finding new cryptography features in the Hc7 Ransomware that would improve its security from that of its ancestor's attacks significantly, current decryption solutions for the old Trojan aren't compatible with the Hc7 Ransomware. Victims with any locked files could choose to recover from a backup, or may be left waiting indefinitely until updates to freeware decryptors occur.

The Hc7 Ransomware doesn't disguise its main executable file, which may be indicative of its threat actors either installing the Trojan by themselves after violating a network's security protocols or using another threat like a Zlob Trojan for dropping it. The identifying features and symptoms of the Hc7 Ransomware infections are consistent with those of the HC6 Ransomware:

The Hc7 Ransomware tries to encrypt various types of media on the PC automatically, including any network-available drives, as well. The encryption attack uses AES as its primary cipher and SHA-256 to secure it, with users being unable to open any files the Hc7 Ransomware targets afterward. The Trojan also includes a cosmetic change of appending '.GOTYA' instead of HC6 Ransomware's '.fucku' extension, which may be an effort to disguise the Trojan's origins or a result of different threat actors managing the Trojan's distribution.
The ransom note of HC6 Ransomware, which is in a Notepad format, remains present in the Hc7 Ransomware's payload. However, it also has updates to the wallet address, the options for ransoming data (now, victims can opt to decrypt a single PC, instead of an entire network), and the cost of the threat actor's decryption help. The Hc7 Ransomware's ransoms remaining in the thousands of dollars in Bitcoins continue making a strong case for the Trojan's attacking the network systems of business sector entities.

Sending a Number Seven Trojan the Way of Number Six

For campaigns that try to extort money from business entities, some infection vectors are more likely of being exploited than others. Out of these, malware experts judge the following options as being most current for the Hc7 Ransomware and similar, file-locking threats:

Simple, easily brute-forced network passwords can help cybercrooks compromise a network and install the Hc7 Ransomware without the user's direct intervention.
Spam e-mail is a widely-used strategy for distributing most Trojans that use encryption as a central feature. In most cases, the attack also uses accompanying, disguised attachments, such as fake documents, although some threat actors can embed drive-by-downloads in a message's body directly.
Less usual but still seen periodically exploit kit-based attacks may compromise websites most likely of being frequented by the desired Web traffic, and, then, install Trojans like the Hc7 Ransomware by using accompanying script and software vulnerabilities.

Security patches can remove most, if not all vulnerabilities that exploit kits like Blacole and the RIG Exploit Kit leverage against their victims. Robust anti-malware protection can block the Hc7 Ransomware or delete the Hc7 Ransomware from your PC at any point, including before it locks any files, and is the only removal method malware experts recommend for most users.

The Hc7 Ransomware is only a small step forward from the HC6 Ransomware, but even minor progress can suffice for blocking known security solutions for a brief period. Network security, standard anti-malware protection, and exacting backup scheduling is a three-way defense that can hinder the Hc7 Ransomware, and similarly new Trojans before they start making money.

Technical Details

Additional Information

The following URL's were detected:

protectionsrequired.com

HC7 Planetary Ransomware