Heimdall is a new type of ransomware that is currently becoming more prevalent.

History

On May 22nd, 2017, Michael Gillespie discovered Heimdall Ransomware. Heimdall is a ransomware-as-a-service (RaaS) that is currently being distributed through various affiliate programs. Heimdall uses the EDA2 open source project for its encryption routine, which is why it is sometimes also referred to as EDA2 ransomware.

How does Heimdall work?

When this ransomware is executed, it will check to see if the computer is connected to the Internet. If an Internet connection is present, Heimdall will contact its Command & Control (C&C) server and send information about the infected computer. After generating a unique ID for the computer, Heimdall will create an RSA-2048 public/private key pair. Heimdall will use the public key to encrypt a file called “HELP_DECRYPT.txt”, which contains information on how to contact Heimdall’s developers for payment instructions. Heimdall will then scan the computer’s hard drive for certain file types and encrypt them using the AES-256 encryption algorithm. The AES-256 encrypted files will have the “.heimdall” extension appended to them.

What types of files does Heimdall Ransomware encrypt?

Heimdall Ransomware will search for and encrypt over 500 different types of files. A list of file extensions that Heimdall targets you find below:.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der,.dfx, .dng, .doc, .docm, , docx,.erf,.indd,.jpe,.jpg,.kdc,.mdb,.mdf,.mef,.mkv,.mos,, mov,.mp3,.mp4,.mpeg,.mpg,.mrw,.nef,.nrw,.odb,.odc,.odm, .odp,.ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .PSD, .pst, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qfx, .qwc, .raf, .rar, .raw, .rtf, .rw2, .rwl, .sr2, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsm, .xlsx.This ransomware will also encrypt files on any connected network drives.

How much does Heimdall Ransomware cost?

The Heimdall developers currently charge between 0.5 and 1 Bitcoin (approximately $1,000-USD 2,000) for the Heimdall decryption key. Heimdall’s developers have stated that they will give a discount to victims who contact them within 72 hours of Heimdall Ransomware infection.Heimdall developers also offer a “free” decryptor that will decrypt three files for free. However, this “free” decryptor is only meant to show victims that Heimdall Ransomware is working and that Heimdall does indeed have the decryption key.

Protection

You can protect yourself from Heimdall and other ransomware infections by using a reliable anti-malware program and keeping your operating system and software up-to-date. You should also backup your important files regularly to minimize the risk of data loss in the event of a ransomware infection.

How to remove Heimdall Ransomware?

You can remove Heimdall Ransomware with a reputable anti-malware program. We recommend using Malwarebytes Anti-Malware, as it can detect and remove Heimdall and other types of malware from your computer. Once Heimdall has been removed, you can use a file recovery program to restore your encrypted files.

Is there a public decryption tool?

No, there is no public decryption tool for Heimdall Ransomware at this time.

You can only decrypt your files with the Heimdall decryption key, which is only available from Heimdall’s developers. We do not recommend paying the ransom, as there is no guarantee that Heimdall’s developers will provide you with the decryption key. Additionally, paying the ransom will only encourage Heimdall’s developers to continue their malicious activities.

Use a recovery software

We built SalvageData data recovery software to help you.

Contact a data recovery service

If you cannot remove Heimdall ransomware or access your files, you can try to restore them using a data recovery service.SalvageData Recovery ServicesOur Heimdall ransomware removal and file recovery services are designed to help you get your files back. We have a team of highly trained security experts who will work with you to get your files back. Contact us today for a free consultation.