Ransomware Research
Hakbit Ransomware
Hakbit is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Thanos, Abarcy, Corona, Ravack, Energy, Pulpit, Narumi, 777, Thanos-based.
Quick Facts
- Ransomware Family
- Hakbit
- First Seen
- November 1, 2019
- Known Aliases
- ThanosAbarcyCoronaRavackEnergyPulpitNarumi777Thanos-based
How Hakbit Ransomware Works
Targeted Files
https://www.bleepingcomputer.com/forums/t/721616/thanos-hakbit-ransomware-support-topic/page-2#entry5281530 https://app.any.run/tasks/e95f6def-2640-4846-80ba-de52ce1c6205/
File Encryption Patterns
Hakbit modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..crypted
..VIPxxx
..CRYSTAL
..getin
..cyber
..horse
..turretsyndrome
..abarcy
..gesd
..part
..ravack
..energy[potentialenergy@mail.ru]
..locked
..pulpit
..cryp
..rastar
..stnts
..0l0lqq
..fsvlf4
..secure[milleni5000@qq.com]
..zuadr
.[prometheushelp@mail.ch]
..alumni
..secure
..hard
..[killerworm@tuta.io].crypt
..[KingKong2@tuta.io].crypt
..ejqvfp
..kingdee
..secure[irrelevantly@aliyun.com]
..REV
..[pingp0ng@tuta.io].noname
..[detect0r@tuta.io].helpme
..stepik
..xot5ik
..unlock
..tgipus
..ps1wek
..NARUMI
..SABS
..[blackcat7@tuta.io].777
Ransom Note and Payment Demands
After encrypting files, Hakbit displays ransom notes demanding payment for file recovery:
HELP_ME_RECOVER_MY_FILES.txt
Ransom message:
notes/HELP_ME_RECOVER_MY_FILES.txt
you are stupid!.txt
READ THIS!!!!.txt
Ransom message:
notes/READ THIS!!!!.txt
Note locations:
Desktop
HELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt
DEAL_FOR_ACCESS_TO_YOUR_FILES.TXT
Ransom message:
notes/DEAL_FOR_ACCESS_TO_YOUR_FILES.TXT
Note locations:
EveryFolder
HOW_TO_DECYPHER_FILES_login.txt
Ransom message:
notes/HOW_TO_DECYPHER_FILES_login.txt
HOW_TO_DECYPHER_FILES.txt
Ransom message:
notes/HOW_TO_DECYPHER_FILES.txt
Note locations:
EveryFolder
HOW_TO_DECYPHER_FILES.hta
Ransom message:
notes/HOW_TO_DECYPHER_FILES.hta
Note locations:
EveryFolder
RESTORE_FILES_INFO.txt
Ransom message:
notes/RESTORE_FILES_INFO.txt
Note locations:
EveryFolder
RESTORE_FILES_INFO.hta
Ransom message:
notes/RESTORE_FILES_INFO.hta
Note locations:
Desktop
HOW_TO_RECOVER_YOUR_FILES.txt
Ransom message:
notes/HOW_TO_RECOVER_YOUR_FILES.txt
Note locations:
EveryFolder
Instruction.txt
Ransom message:
notes/Instruction.txt
HOW_TO_RECOVER_MY_FILES !.hta
Ransom message:
notes/HOW_TO_RECOVER_MY_FILES !.hta
Note locations:
Desktop
HOW_TO_RECOVER_MY_FILES !.txt
Note locations:
EveryFolder
decrypt_info.txt
Ransom message:
notes/decrypt_info.txt
Инструкция.txt
Ransom message:
notes/Инструкция.txt
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Hakbit ransomware:
FaJvPkMPn
ka39EwyQA
opera32.exe
firefox.exe
memop.exe
svchst.exe
crcss.exe
chrome32.exe
gozde.exe
Setup.exe
lol.exe
Coinomi.portable.exe
bind with tapjoy.exe
server.exe
Client-4.exe
root.exe
FAK321.xlsm
Client-0.exe
test.exe
Movavi.Video.Editor.Plus.20.2.0.exe
dwm.exe
dllhost.exe
BUDDINGPULVERS
BUDDINGPULVERS.exe
D125BO88.exe
1KUrmGL4bLZM7
Final-02.exe.bin
rkQwCufvQI4yk5wkAaZ24tBkbdosxy.exe
seUypf6sb4qHaaij2X4Bcwyz0za.exe
NUqrctgukLM8v9e.exe
virus_ransomware_109.exe
thanos1.exe
thanos47.exe
thanos4720210227233714.exe
file.exe
myfile.exe
Safeboot.exe
Client-2.exe
energy2.exe
pulpit1.exe
Antirecuve.exe
Client-kildef2.exe
wqm58yk7.exe
sax.exe
bbc.exe
Tester-0.exe
ZaudrShare.exe
Svchost.exe
1712
b87805mpAjJ
QrD2cXJpcez
444.exe
UYPXJkz3XWm
qxCxc1EUSAV
Client-3.exe
SecUpdate64-2.exe
Kingdee.exe
farkos.csv
farkos.csas
Worker-0.exe
GBD2iSX9s
iE8JUAJp7
emk21h33.exe
Worker-1.exe
New_dyn.exe
UEO22vPYPd3t.exe
kxmMYF4WIKwr
UEO22vPYPd3t
kssoyVuh0
eZzCFxs6p
BUDDINGPULVERS.exe, Client-17.exe
iE8JUAJp7.exe, Worker-0.exe
Elastio Can Help You
Don't let Hakbit ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Hakbit ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Hakbit.
Last updated: July 30, 2025