Ransomware Research

Hakbit Ransomware

Hakbit is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Thanos, Abarcy, Corona, Ravack, Energy, Pulpit, Narumi, 777, Thanos-based.

Quick Facts

Ransomware Family
Hakbit
First Seen
November 1, 2019
Known Aliases
ThanosAbarcyCoronaRavackEnergyPulpitNarumi777Thanos-based

How Hakbit Ransomware Works

Targeted Files

https://www.bleepingcomputer.com/forums/t/721616/thanos-hakbit-ransomware-support-topic/page-2#entry5281530 https://app.any.run/tasks/e95f6def-2640-4846-80ba-de52ce1c6205/

File Encryption Patterns

Hakbit modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..crypted..VIPxxx..CRYSTAL..getin..cyber..horse..turretsyndrome..abarcy..gesd..part..ravack..energy[potentialenergy@mail.ru]..locked..pulpit..cryp..rastar..stnts..0l0lqq..fsvlf4..secure[milleni5000@qq.com]..zuadr.[prometheushelp@mail.ch]..alumni..secure..hard..[killerworm@tuta.io].crypt..[KingKong2@tuta.io].crypt..ejqvfp..kingdee..secure[irrelevantly@aliyun.com]..REV..[pingp0ng@tuta.io].noname..[detect0r@tuta.io].helpme..stepik..xot5ik..unlock..tgipus..ps1wek..NARUMI..SABS..[blackcat7@tuta.io].777

Ransom Note and Payment Demands

After encrypting files, Hakbit displays ransom notes demanding payment for file recovery:

fileHELP_ME_RECOVER_MY_FILES.txt

Ransom message:

notes/HELP_ME_RECOVER_MY_FILES.txt
fileyou are stupid!.txt
fileREAD THIS!!!!.txt

Ransom message:

notes/READ THIS!!!!.txt

Note locations:

Desktop
fileHELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt
fileDEAL_FOR_ACCESS_TO_YOUR_FILES.TXT

Ransom message:

notes/DEAL_FOR_ACCESS_TO_YOUR_FILES.TXT

Note locations:

EveryFolder
fileHOW_TO_DECYPHER_FILES_login.txt

Ransom message:

notes/HOW_TO_DECYPHER_FILES_login.txt
fileHOW_TO_DECYPHER_FILES.txt

Ransom message:

notes/HOW_TO_DECYPHER_FILES.txt

Note locations:

EveryFolder
fileHOW_TO_DECYPHER_FILES.hta

Ransom message:

notes/HOW_TO_DECYPHER_FILES.hta

Note locations:

EveryFolder
fileRESTORE_FILES_INFO.txt

Ransom message:

notes/RESTORE_FILES_INFO.txt

Note locations:

EveryFolder
fileRESTORE_FILES_INFO.hta

Ransom message:

notes/RESTORE_FILES_INFO.hta

Note locations:

Desktop
fileHOW_TO_RECOVER_YOUR_FILES.txt

Ransom message:

notes/HOW_TO_RECOVER_YOUR_FILES.txt

Note locations:

EveryFolder
fileInstruction.txt

Ransom message:

notes/Instruction.txt
fileHOW_TO_RECOVER_MY_FILES !.hta

Ransom message:

notes/HOW_TO_RECOVER_MY_FILES !.hta

Note locations:

Desktop
fileHOW_TO_RECOVER_MY_FILES !.txt

Note locations:

EveryFolder
filedecrypt_info.txt

Ransom message:

notes/decrypt_info.txt
fileИнструкция.txt

Ransom message:

notes/Инструкция.txt

Note locations:

EveryFolder

Technical Indicators

Associated Executable Files

The following executable files are associated with Hakbit ransomware:

  • FaJvPkMPn
  • ka39EwyQA
  • opera32.exe
  • firefox.exe
  • memop.exe
  • svchst.exe
  • crcss.exe
  • chrome32.exe
  • gozde.exe
  • Setup.exe
  • lol.exe
  • Coinomi.portable.exe
  • bind with tapjoy.exe
  • server.exe
  • Client-4.exe
  • root.exe
  • FAK321.xlsm
  • Client-0.exe
  • test.exe
  • Movavi.Video.Editor.Plus.20.2.0.exe
  • dwm.exe
  • dllhost.exe
  • BUDDINGPULVERS
  • BUDDINGPULVERS.exe
  • D125BO88.exe
  • 1KUrmGL4bLZM7
  • Final-02.exe.bin
  • rkQwCufvQI4yk5wkAaZ24tBkbdosxy.exe
  • seUypf6sb4qHaaij2X4Bcwyz0za.exe
  • NUqrctgukLM8v9e.exe
  • virus_ransomware_109.exe
  • thanos1.exe
  • thanos47.exe
  • thanos4720210227233714.exe
  • file.exe
  • myfile.exe
  • Safeboot.exe
  • Client-2.exe
  • energy2.exe
  • pulpit1.exe
  • Antirecuve.exe
  • Client-kildef2.exe
  • wqm58yk7.exe
  • sax.exe
  • bbc.exe
  • Tester-0.exe
  • ZaudrShare.exe
  • Svchost.exe
  • 1712
  • b87805mpAjJ
  • QrD2cXJpcez
  • 444.exe
  • UYPXJkz3XWm
  • qxCxc1EUSAV
  • Client-3.exe
  • SecUpdate64-2.exe
  • Kingdee.exe
  • farkos.csv
  • farkos.csas
  • Worker-0.exe
  • GBD2iSX9s
  • iE8JUAJp7
  • emk21h33.exe
  • Worker-1.exe
  • New_dyn.exe
  • UEO22vPYPd3t.exe
  • kxmMYF4WIKwr
  • UEO22vPYPd3t
  • kssoyVuh0
  • eZzCFxs6p
  • BUDDINGPULVERS.exe, Client-17.exe
  • iE8JUAJp7.exe, Worker-0.exe

Elastio Can Help You

Don't let Hakbit ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Hakbit ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Hakbit.

Last updated: July 30, 2025

Hakbit Ransomware - Detectable by Elastio