Ransomware Research

Hentai Oniichan Ransomware

Hentai Oniichan is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Berserker, King Engine.

Quick Facts

Ransomware Family
Hentai Oniichan
First Seen
September 1, 2020
Known Aliases
BerserkerKing Engine

How Hentai Oniichan Ransomware Works

Targeted Files

https://www.vmray.com/cyber-security-blog/hentai-oniichan-ransomware-berserker-malware-analysis-spotlight/

File Encryption Patterns

Hentai Oniichan modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..HOR..docm

Ransom Note and Payment Demands

After encrypting files, Hentai Oniichan displays ransom notes demanding payment for file recovery:

fileWARNING.html

Ransom message:

notes/WARNING.html

Note locations:

Desktop
filereadmerecovery.txt

Ransom message:

notes/readmerecovery.txt

Note locations:

Desktop
fileREADME_RECOVERY.txt

Ransom message:

notes/README_RECOVERY.txt

Note locations:

UserFolders

Technical Indicators

Associated Executable Files

The following executable files are associated with Hentai Oniichan ransomware:

  • recent_invoice_view.exe
  • invoice_view.exe
  • Fatality_DIed.dll
  • Pandora.dll
  • Fatality DIed.dll

Elastio Can Help You

Don't let Hentai Oniichan ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Hentai Oniichan ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Hentai Oniichan.

Last updated: July 30, 2025