I wrote this article to help you remove Heimdall Ransomware. This Heimdall Ransomware removal guide works for all Windows versions.

Heimdall ransomware is one of the few win-lockers whose author has been identified. The malignant program has been created by a Brazilian developer named Lenon Leite. A proof-of-concept (PoC) was released to describe Heimdall ransomware in detail. The clandestine program has been manufactured using the PHP coding language. Heimdall ransomware is available from the GitHub platform under a MIT license.

This would make the win-locker a RaaS (ransomware-as-a-service) virus, if it was sold as a tool for robbing computer users. This is not the objective of the program, though. Heimdall ransomware has been created to demonstrate the properties of win-lockers. This explains why the person behind it has revealed his identity. The correct categorization for Heimdall is open-source ransomware.

Mr. Leite provided a description of Heimdall ransomware and elaborated his motives for creating the program. The win-locker encrypts different types of files using a password register. The targeted file types encompass documents, images, audios, videos, archives, databases and system components. The infected items can only be decrypted with the designated password. The sinister program is contained in a 482-line .php file which produces the GUI load.

Heimdall ransomware uses AES-128-CBC encryption algorithm to lock files. The win-locker drops a ransom note to inform the victim of its actions and state its demands. Users are asked to pay 2 bitcoins to have their files decrypted. This converts to $1424.64 USD. The deadline for making the payment is two days. Most win-lockers process payments through the bitcoin cryptocurrency because it assures anonymity. The identity of the recipient is kept undisclosed. This allows cyber criminals to get away with the ransom money without consequences.

The concept of an open-source ransomware program is risky. The developer of Heimdall ransomware may have good intentions, but the software could wind up in the hands of hackers. They can exploit it. Having possession of the program, cyber crooks can launch distribution campaigns and run attacks on computers. Heimdall ransomware is ready to use as a product. Obtaining the software is possible. Up until this point, the win-locker has not been acquired by hackers. This could happen in the future.

The methods for spreading Heimdall ransomware include spam emails and drive-by installations. The first technique is the most common means of transport for win-lockers. The clandestine program gets hidden behind an attached file from a misleading letter and waits for the recipient to open it. Doing so is enough to prompt the download and install of the virus. You need to be cautious about your emails. Make sure a given letter comes from a reliable sender before accessing files or following instructions from it. The person could have written on behalf of a legitimate company or entity to throw you off. Spammers often misrepresent the national post, courier firms, government branches, social networks, banks, e-commerce platforms and the local police department. To proof the reliability of a given email, look up the contacts.

Drive-by installations work in an even simpler manner. Heimdall ransomware can be transmitted to your machine through a single click. Entering a corrupted website or following a compromised link is enough to initiate the transferal of the win-locker. You should be careful about your sources. Do your research on unfamiliar websites. If you happen to receive a link you did not expect, contact the person who sent it. Hackers can break into people’s accounts and send spam through them. The affected user may not be aware of the occurrence. The link could be invisible from his account.

Heimdall Ransomware Uninstall

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Heimdall Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Heimdall Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete