Ransomware Research

Hakbit Ransomware

Hakbit is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Thanos, Abarcy, Corona, Ravack, Energy, Pulpit, Narumi, 777, Thanos-based.

Quick facts

Ransomware Family
Hakbit
First Seen
November 1, 2019
Known Aliases
ThanosAbarcyCoronaRavackEnergyPulpitNarumi777Thanos-based

How Hakbit ransomware works

File encryption patterns

Hakbit modifies encrypted files using specific patterns to mark them as encrypted:

Extensions added after encryption
.crypted.VIPxxx.CRYSTAL.getin.cyber.horse.turretsyndrome.abarcy.gesd.part.ravack.energy[potentialenergy@mail.ru].locked.pulpit.cryp.rastar.stnts.0l0lqq.fsvlf4.secure[milleni5000@qq.com].zuadr.[prometheushelp@mail.ch].alumni.secure.hard.[killerworm@tuta.io].crypt.[KingKong2@tuta.io].crypt.ejqvfp.kingdee.secure[irrelevantly@aliyun.com].REV.[pingp0ng@tuta.io].noname.[detect0r@tuta.io].helpme.stepik.xot5ik.unlock.tgipus.ps1wek.NARUMI.SABS.[blackcat7@tuta.io].777

Ransom note and payment demands

After encrypting files, Hakbit displays ransom notes demanding payment for file recovery:

fileHELP_ME_RECOVER_MY_FILES.txt
notes/HELP_ME_RECOVER_MY_FILES.txt
fileyou are stupid!.txt
fileREAD THIS!!!!.txt
notes/READ THIS!!!!.txt
Location: Desktop
fileHELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt
fileDEAL_FOR_ACCESS_TO_YOUR_FILES.TXT
notes/DEAL_FOR_ACCESS_TO_YOUR_FILES.TXT
Location: EveryFolder
fileHOW_TO_DECYPHER_FILES_login.txt
notes/HOW_TO_DECYPHER_FILES_login.txt
fileHOW_TO_DECYPHER_FILES.txt
notes/HOW_TO_DECYPHER_FILES.txt
Location: EveryFolder
fileHOW_TO_DECYPHER_FILES.hta
notes/HOW_TO_DECYPHER_FILES.hta
Location: EveryFolder
fileRESTORE_FILES_INFO.txt
notes/RESTORE_FILES_INFO.txt
Location: EveryFolder
fileRESTORE_FILES_INFO.hta
notes/RESTORE_FILES_INFO.hta
Location: Desktop
fileHOW_TO_RECOVER_YOUR_FILES.txt
notes/HOW_TO_RECOVER_YOUR_FILES.txt
Location: EveryFolder
fileInstruction.txt
notes/Instruction.txt
fileHOW_TO_RECOVER_MY_FILES !.hta
notes/HOW_TO_RECOVER_MY_FILES !.hta
Location: Desktop
fileHOW_TO_RECOVER_MY_FILES !.txt
Location: EveryFolder
filedecrypt_info.txt
notes/decrypt_info.txt
fileИнструкция.txt
notes/Инструкция.txt
Location: EveryFolder

Technical indicators

Associated executable files

The following executable files are associated with Hakbit ransomware:

About this analysis

This Hakbit ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery, helping organizations defend against and recover from ransomware attacks like Hakbit.

Last updated: December 30, 2025

Detection coverage

Elastio detects Hakbit inside your data and backups.

The Hunt Engine uses Deep File Inspection to identify Hakbit across live data, replicated data, and backups. If this family is in your environment, Elastio finds it before encryption completes. Run a scan against your recovery points to confirm.

See How the Hunt Engine WorksRequest a Demo

Recent ransomware

Explore other threats in our database

Wxlongda2025VeilCrypt2025TitanLabooboo2025SolidBit2022SnapHackLocker2024PySystemUpdate2025PySimCrypt2025Monkey2025Lol2025HWID2025
View all ransomware →
What is Hakbit Ransomware? | Elastio