BLACK-HEOLAS: A Closer Look at a Hostile New Encryptor
BLACK-HEOLAS is a recently discovered ransomware strain observed in fresh submissions on VirusTotal. Unlike many commodity families, this variant takes a more destructive approach: it renames every targeted file into a long string of random characters and then adds the extension .hels. A harmless file such as 1.jpg turns into an unrecognizable object like 3af0c84a5dae45fca594c0539f367836.hels.
Once its encryption routine completes, BLACK-HEOLAS plants a ransom note called hels.readme.txt, modifies the user’s wallpaper, and introduces a strict, multi-tiered countdown system to pressure payment.
Attackers demand 0.01 BTC (roughly $950 USD at discovery time) and escalate threats across three timelines:
72 hours → ransom doubles
7 days → decryptor “destroyed”
30 days → files leaked on the dark web
This staged intimidation sequence is designed to destabilize victims psychologically by forcing rapid decision-making under stress.
Our response division has developed a precision-engineered decryptor workflow specifically for BLACK-HEOLAS. Instead of blindly attempting recovery, the system is built to work like a forensic laboratory — safe, controlled, and fully auditable.
Behavioral examination in a sealed sandbox to identify the exact build and encryption signature
Extraction of unique byte-level indicators from renamed .hels files
Small-scale proof-testing to validate the feasibility of decryption before touching your full dataset
Documented chain-of-custody logs suitable for insurance, compliance, litigation, or breach reporting
The decryptor can operate online (cloud-based key inspection) or offline (air-gapped forensic mode) depending on your environment’s sensitivity. All operations begin in read-only mode, ensuring no damage is ever introduced to encrypted data.
Emergency Response Protocol — What You Must Do Immediately
BLACK-HEOLAS is structured to punish every misstep. The ransom note itself warns that powering off systems or modifying files may lock data permanently. To avoid escalation:
Isolate infected machines instantly. Disconnect from local networks, servers, VMs, cloud sync agents, and external drives.
Freeze the environment. Do not rename .hels files, delete notes, or reboot the device until forensics are complete.
Collect evidence before remediation. Copy event logs, EDR alerts, malicious binaries, and suspicious processes.
Capture system memory (RAM). Some ransomware families accidentally leave partial keys or process handles in volatile memory.
Avoid any direct communication with the attacker. Using Tox or onionmail exposes metadata and may worsen the situation.
Your Recovery Options
Free or Local Recovery
Restoring from backups If your organization maintains offline, immutable, or remote backups, these remain the cleanest and safest route to recovery. Always verify snapshot integrity before restoration.
Free decryptor status No verified decryptor currently exists for BLACK-HEOLAS. The encryption appears structurally sound, with AES/RSA hybrid ciphers and no known cryptographic implementation flaws.
Professional Recovery
Expert-Led Decryption Attempt Our analysts perform variant fingerprinting, sandbox testing, and PoC decryptions to determine whether partial or complete restoration is possible.
Ransom payment (not recommended) Even though the ransom is relatively small, paying does not guarantee file recovery or deletion of exfiltrated data. Many ransomware operators deliver fake or corrupted decryptors after receiving cryptocurrency.
Using Our BLACK-HEOLAS Decryptor — Step-By-Step
Step 1 — Verification Confirm your files are renamed into long hexadecimal-like strings ending in .hels. Identify the ransom note hels.readme.txt.
Step 2 — Stabilize the affected system Disconnect the device; prevent all background sync and disable network interfaces.
Step 3 — Submit samples to our lab Provide several encrypted .hels files and the ransom note so our analysts can extract variant markers.
Step 4 — Run the controlled decryptor Launch it with administrator privileges; internet connectivity may be needed depending on your chosen recovery mode.
Step 5 — Provide your Decrypt ID BLACK-HEOLAS provides a victim-specific ID. Entering it ensures correct key alignment for PoC decryption.
Step 6 — Begin restoration Once validated, the decryptor restores files to an isolated directory and outputs a complete report.
Filename: hels.readme.txt Purpose: Delivers staged ransom threats and restrictions that forbid shutdowns, reboots, or file manipulation.
Excerpt from the note:
==============> BLACK-HEOLAS <==============
> What Happenned? —————————————————- Your important files are locked by encryption. A large number of your documents, photos, videos, databases and other files are now inaccessible – they have been encrypted. Don’t waste time trying to recover them yourself – it won’t work. No one can restore your files except via our decryption service.
> How to pay —————————————————- You have only three days to make the required payment. Once that deadline passes, the price will be doubled. If you do not pay within 7 days, the decryptor will be destroyed and your files will be lost forever. After a month, your files will be published on dark web and social sites.
Once payment is complete, email or send via Tox a screenshot of the payment confirmation and your Decrypt ID – we will then provide the decryptor. Payment is accepted only in BTC, and the price is non-negotiable.
> Contacts —————————————————- Support Tox:2900CE9AE763FDC8206A01166943B81E61C0AB9043CC00A61F7332D00A28441216359DA46C22 * You must use the Tox Messenger to contact us. Download it here: hxxps://tox.chat/download.html Support Email: BlackHeolasSupport@onionmail.org
> Recommendations —————————————————- DO NOT shut down or restart your systems – this may result in permanent damage to encrypted files. DO NOT rename, move, or alter any encrypted files or the provided readme files. DO NOT use 3rd party tools to decrypt. If you violate these rules, we cannot guarantee a successful recovery.
Decryption ID: –
Indicators of Compromise (IOCs)
File extension: .hels — applied after renaming the file into a randomized string Ransom note: hels.readme.txt Ransom demand: 0.01 BTC Threat actor contact:
Exfiltration: files stolen prior to encryption (indicated by threats in note)
Impact: full data disruption + release threats
Victim Landscape & Threat Spread
Target countries
Target sectors
Timeline
Conclusion
BLACK-HEOLAS is a stark reminder of how lower-tier ransomware crews have evolved into organized extortion operations. Though the ransom is relatively small, the damage — encrypted assets, stolen data, psychological pressure, and operational downtime — can be severe. The only reliable recovery path is careful containment, forensic analysis, and restoration from safe backups. Paying the ransom rarely solves the problem and often invites additional extortion or long-term exposure. A modern defense strategy must include hardened email filtering, immutable backups, employee training, and system patching to stay ahead of ransomware families like BLACK-HEOLAS.
Frequently Asked Questions
Not at this time. The encryption appears cryptographically secure.
Only through clean backups or professional recovery attempts.
No — the threat actors explicitly state the fee is “non-negotiable.”
The ransom note states that shutdowns may cause permanent corruption; avoid rebooting until forensics is complete.
Use updated antivirus, avoid cracked software, enable MFA, keep systems patched, and maintain offline backups.
Contact Us To Purchase The BLACK_HEOLAS Decryptor Tool
Our Advanced LockFile Decryptor for .enc Files A newly identified strain, known as LockFile .enc ransomware (Huarong 500.exe), has recently emerged. Victims have reported partial file encryption, ransom notes named with random strings, and demands for $5,000 in Bitcoin. Our team has analyzed this variant, revealing a Python-based structure packaged with PyInstaller and AES-256-GCM encryption….
End is a ransomware strain belonging to the MedusaLocker family that encrypts user data and appends the .end11 extension to filenames. This malware targets a wide array of critical data, transforming standard office documents such as report.docx.end11 and financials.xlsx.end11 into inaccessible formats. Furthermore, the attack vector aggressively pursues high-value infrastructure and database files, appending the…
Overview: The Growing Threat of Warning Ransomware In recent years, Warning ransomware has emerged as a formidable and aggressive cyber threat. This malicious software infiltrates systems, encrypts sensitive data, and coerces victims into paying ransoms to regain access. As the complexity of these attacks increases, recovery becomes more difficult—posing serious challenges for both individuals and…
Overview XIAOBA 2.0 ransomware has emerged as a formidable cybersecurity menace, infiltrating systems, encrypting essential data, and coercing victims into paying ransoms. As these attacks grow in sophistication and frequency, data recovery becomes increasingly challenging for both individuals and organizations. This guide offers an in-depth examination of XIAOBA 2.0 ransomware, its ramifications, and the available…
Introduction to the Ransomware Variant This malware appends a randomized, nine-character suffix (for example .aBMfTRyjF) to all encrypted files and places a corresponding ransom note named aBMfTRyjF.README.txt in every folder. Inside the note is a unique 32‑hexadecimal-character Decryption ID. These patterns are nearly identical to those seen in LockBit 3.0 Black attacks or its closely related…
In our recovery lab today at Lockbit Decryptor, we isolated the BASANAI ransomware strain, a confirmed member of the MedusaLocker family. This variant appends the .BASANAI extension and employs a robust RSA-4096 and AES-256 hybrid encryption scheme. Our forensic analysis reveals that while the encryption itself is formidable, the variant inherits a critical flaw from…
