bH4T ransomware removal

bH4T ransomware is file-encrypting malware from the Dharma ransomware family. It encrypts files, adds the [].bH4T file extension, shows a pop-up ransom note, as well as drops FILES ENCRYPTED.txt.


Screenshot (71)

bH4T ransomware was detected by malware researcher Marcelo Rivero, and is malware that encrypts files. The gang behind Dharma has released many versions of ransomware, including 259, LCK, and Dme. This version can be differentiated by the [].bH4T extension added to encrypted files. All files with this extension will not be openable, unless users first decrypt them with a special decryption tool, which they would need to buy from the cyber criminals behind this ransomware. The pop-up ransom note will explain how victims can purchase the decryptor, though it does not mention the price. It will likely be somewhere between $100 and $1000. Whatever the price may be, paying is not recommended, primarily because there are no guarantees that a decryptor would be sent to victims. After all, there have been countless users who paid but received nothing in return. There’s nothing really forcing these cyber crooks to actually keep their end of the deal, so trusting them would be naive. This, unfortunately, means that files could be lost permanently.

Users who have backup of their files can connect to the backup as soon as they delete bH4T ransomware from their computers. They should make sure that the ransomware is completely gone, though, as otherwise, backed up files may become encrypted as well.

Users should be very careful with free decryptors advertised on various questionable forums and websites as there are many fake ones concealed as legitimate. While malware researchers do release free decryptors to help users, one for bH4T ransomware is not available. If it was to be released, it would come from Emsisoft, NoMoreRansom, malware researchers or anti-virus vendors. As it is, the only way to recover files is backup.

Ransomware distribution methods

The majority of ransomware use more or less the same spread methods, which include malicious email attachments, torrents and malicious ads.

Users who don’t pay attention to what email attachments they open are at high risk of picking up malware. Malicious parties launch spam email campaigns that contain malware using email addresses purchased from hacking forums. In rare cases, the email will be sophisticated, but they’re mostly quite obvious. They’ll be sent from random email addresses, contain loads of grammar and spelling mistakes and claim that opening the attachment is vital. When it comes to unsolicited emails with attachments, it’s very important to be vigilant. Users should not rush to open the attachment, no matter what the email is saying. Even if everything checks out, all unsolicited email attachments should be scanned with anti-virus software or VirusTotal before they’re opened.

Users who use torrents to pirate are also at increased risk. Torrent sites are full of malware, often disguised as movies, games, TV shows, etc. Pirating is discouraged, and it’s not only because it’s essentially stealing content. It’s also quite dangerous for the computer.

What does the ransomware do?

As soon as the ransomware is initiated, it will begin encrypting files. Photos, documents, videos, etc., will all have an extension added to them, signaling that they have been encrypted. The file extension will contain the user’s unique ID as well as [].bH4T. For example, image.jpg would become image.jpg.unique ID.[].bH4T. Files with that extension will not be openable until they’re decrypted. Once file encryption is done, a ransom note FILES ENCRYPTED.txt is dropped and another one pops up. According to the note, users who want to get the decryptor have to send an email to with their assigned ID. They would then be given the price for the decryptor.

As we said above, paying the ransom is not recommended. Not only does it not guarantee file decryption, it also supports future criminal activity.

The pop-up ransom note contains the below information:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail
Write this ID in the title of your message C279F237
In case of no answer in 24 hours write us to theese
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

bH4T ransomware removal

Users should use anti-malware software to delete bH4T ransomware, and not attempt to do it manually. Once users remove bH4T ransomware, they can start file recovery from backup.

bH4T ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by AVG/Avast
  • Trojan.Ransom.Crysis.E by BitDefender
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom.Crysis by Malwarebytes
  • Ransom.Win32.CRYSIS.SM by TrendMicro