BLACK-HEOLAS: A Closer Look at a Hostile New Encryptor
BLACK-HEOLAS is a recently discovered ransomware strain observed in fresh submissions on VirusTotal. Unlike many commodity families, this variant takes a more destructive approach: it renames every targeted file into a long string of random characters and then adds the extension .hels. A harmless file such as 1.jpg turns into an unrecognizable object like 3af0c84a5dae45fca594c0539f367836.hels.
Once its encryption routine completes, BLACK-HEOLAS plants a ransom note called hels.readme.txt, modifies the user’s wallpaper, and introduces a strict, multi-tiered countdown system to pressure payment.
Attackers demand 0.01 BTC (roughly $950 USD at discovery time) and escalate threats across three timelines:
72 hours → ransom doubles
7 days → decryptor “destroyed”
30 days → files leaked on the dark web
This staged intimidation sequence is designed to destabilize victims psychologically by forcing rapid decision-making under stress.
Our response division has developed a precision-engineered decryptor workflow specifically for BLACK-HEOLAS. Instead of blindly attempting recovery, the system is built to work like a forensic laboratory — safe, controlled, and fully auditable.
Behavioral examination in a sealed sandbox to identify the exact build and encryption signature
Extraction of unique byte-level indicators from renamed .hels files
Small-scale proof-testing to validate the feasibility of decryption before touching your full dataset
Documented chain-of-custody logs suitable for insurance, compliance, litigation, or breach reporting
The decryptor can operate online (cloud-based key inspection) or offline (air-gapped forensic mode) depending on your environment’s sensitivity. All operations begin in read-only mode, ensuring no damage is ever introduced to encrypted data.
Emergency Response Protocol — What You Must Do Immediately
BLACK-HEOLAS is structured to punish every misstep. The ransom note itself warns that powering off systems or modifying files may lock data permanently. To avoid escalation:
Isolate infected machines instantly. Disconnect from local networks, servers, VMs, cloud sync agents, and external drives.
Freeze the environment. Do not rename .hels files, delete notes, or reboot the device until forensics are complete.
Collect evidence before remediation. Copy event logs, EDR alerts, malicious binaries, and suspicious processes.
Capture system memory (RAM). Some ransomware families accidentally leave partial keys or process handles in volatile memory.
Avoid any direct communication with the attacker. Using Tox or onionmail exposes metadata and may worsen the situation.
Your Recovery Options
Free or Local Recovery
Restoring from backups If your organization maintains offline, immutable, or remote backups, these remain the cleanest and safest route to recovery. Always verify snapshot integrity before restoration.
Free decryptor status No verified decryptor currently exists for BLACK-HEOLAS. The encryption appears structurally sound, with AES/RSA hybrid ciphers and no known cryptographic implementation flaws.
Professional Recovery
Expert-Led Decryption Attempt Our analysts perform variant fingerprinting, sandbox testing, and PoC decryptions to determine whether partial or complete restoration is possible.
Ransom payment (not recommended) Even though the ransom is relatively small, paying does not guarantee file recovery or deletion of exfiltrated data. Many ransomware operators deliver fake or corrupted decryptors after receiving cryptocurrency.
Using Our BLACK-HEOLAS Decryptor — Step-By-Step
Step 1 — Verification Confirm your files are renamed into long hexadecimal-like strings ending in .hels. Identify the ransom note hels.readme.txt.
Step 2 — Stabilize the affected system Disconnect the device; prevent all background sync and disable network interfaces.
Step 3 — Submit samples to our lab Provide several encrypted .hels files and the ransom note so our analysts can extract variant markers.
Step 4 — Run the controlled decryptor Launch it with administrator privileges; internet connectivity may be needed depending on your chosen recovery mode.
Step 5 — Provide your Decrypt ID BLACK-HEOLAS provides a victim-specific ID. Entering it ensures correct key alignment for PoC decryption.
Step 6 — Begin restoration Once validated, the decryptor restores files to an isolated directory and outputs a complete report.
Filename: hels.readme.txt Purpose: Delivers staged ransom threats and restrictions that forbid shutdowns, reboots, or file manipulation.
Excerpt from the note:
==============> BLACK-HEOLAS <==============
> What Happenned? —————————————————- Your important files are locked by encryption. A large number of your documents, photos, videos, databases and other files are now inaccessible – they have been encrypted. Don’t waste time trying to recover them yourself – it won’t work. No one can restore your files except via our decryption service.
> How to pay —————————————————- You have only three days to make the required payment. Once that deadline passes, the price will be doubled. If you do not pay within 7 days, the decryptor will be destroyed and your files will be lost forever. After a month, your files will be published on dark web and social sites.
Once payment is complete, email or send via Tox a screenshot of the payment confirmation and your Decrypt ID – we will then provide the decryptor. Payment is accepted only in BTC, and the price is non-negotiable.
> Contacts —————————————————- Support Tox:2900CE9AE763FDC8206A01166943B81E61C0AB9043CC00A61F7332D00A28441216359DA46C22 * You must use the Tox Messenger to contact us. Download it here: hxxps://tox.chat/download.html Support Email: BlackHeolasSupport@onionmail.org
> Recommendations —————————————————- DO NOT shut down or restart your systems – this may result in permanent damage to encrypted files. DO NOT rename, move, or alter any encrypted files or the provided readme files. DO NOT use 3rd party tools to decrypt. If you violate these rules, we cannot guarantee a successful recovery.
Decryption ID: –
Indicators of Compromise (IOCs)
File extension: .hels — applied after renaming the file into a randomized string Ransom note: hels.readme.txt Ransom demand: 0.01 BTC Threat actor contact:
Exfiltration: files stolen prior to encryption (indicated by threats in note)
Impact: full data disruption + release threats
Victim Landscape & Threat Spread
Target countries
Target sectors
Timeline
Conclusion
BLACK-HEOLAS is a stark reminder of how lower-tier ransomware crews have evolved into organized extortion operations. Though the ransom is relatively small, the damage — encrypted assets, stolen data, psychological pressure, and operational downtime — can be severe. The only reliable recovery path is careful containment, forensic analysis, and restoration from safe backups. Paying the ransom rarely solves the problem and often invites additional extortion or long-term exposure. A modern defense strategy must include hardened email filtering, immutable backups, employee training, and system patching to stay ahead of ransomware families like BLACK-HEOLAS.
Frequently Asked Questions
Not at this time. The encryption appears cryptographically secure.
Only through clean backups or professional recovery attempts.
No — the threat actors explicitly state the fee is “non-negotiable.”
The ransom note states that shutdowns may cause permanent corruption; avoid rebooting until forensics is complete.
Use updated antivirus, avoid cracked software, enable MFA, keep systems patched, and maintain offline backups.
Contact Us To Purchase The BLACK-HEOLAS Decryptor Tool
Introduction The Weaxor ransomware has emerged as a formidable adversary in the cybersecurity landscape. This insidious malware infiltrates systems, encrypts valuable data, and holds victims ransom, demanding payment for the decryption key. As Weaxor attacks grow in sophistication and prevalence, the prospect of recovering compromised data has become increasingly challenging for individuals and organizations alike….
Overview BB is a crypto-ransomware strain in the MedusaLocker family that encrypts user data and appends the extension .BB to every affected file (for example photo.jpg → photo.jpg.BB). Victims find a ransom note file named Recovery_Instructions.html in every folder where files were encrypted. The ransom note lists Tor links and two contact emails (dec_helper@excic.com and…
Introduction: The Rising Menace of Silent Ransomware Silent ransomware has emerged as a dangerous and highly effective form of cyberattack. By infiltrating systems, encrypting essential files, and then demanding payment for their release, this malware has devastated both individuals and large-scale organizations. As the sophistication of such threats increases, so does the challenge of reclaiming…
Ransomhub ransomware is a highly sophisticated strain of malware designed to encrypt data on compromised systems and demand a ransom in exchange for a decryption key. Here’s a detailed overview of Ransomhub ransomware, its operations, and steps for decryption and file recovery. What is Ransomhub Ransomware? Ransomhub ransomware emerged as a significant threat in February…
Introduction to Gengar Ransomware Gengar ransomware has emerged as a significant threat in the cybersecurity landscape, infiltrating systems, encrypting vital files, and demanding ransom in exchange for decryption keys. The frequency and sophistication of these attacks are escalating, leaving individuals and organizations grappling with the daunting task of data recovery. This comprehensive guide provides an…
In recent years, ransomware attacks have emerged as a prominent cybersecurity threat, causing significant disruptions and financial losses for organizations worldwide. Among the latest variants, LockBit 3.0 has garnered attention for its sophisticated tactics and devastating impact on targeted networks. To safeguard against such advanced threats, organizations must prioritize network hardening—an essential cybersecurity practice aimed…
