The 7ev3n-HONE$T ransomware encrypts and renames your files to R5A

Share this…

A security researcher named Mosh​ has discovered  a new variant of the 7ev3n Ransomware, which has rebranded itself as 7ev3n-HONE$T. This ransomware will encrypt your data and then ransom your files for approximately $400 USD in bitcoins. It is currently unknown how it is being distributed or what encryption type it uses. Unfortunately, there is no way to decrypt the files for free at this time.

7ev3n-HONE$T Ransomware
7ev3n-HONE$T Ransomware

When 7ev3n-HONE$T encrypts your data it will rename your files to sequential numbers using the .R5A extension. For example, a folder’s files would be renamed to 1.R5A, 2.R5A, 3.R5A, etc. 7ev3n-HONE$T will then add the name of the encrypted file to the C:\Users\Public\files file.

When it has finished encrypting your data it will connect to the Command & Control server and upload a variety of information and statistics.  The information sent is your assigned bitcoin address, the total amount of files encrypted, the amount of each type of file extensions, and your unique ID.  According to Mosh, the Command & Control server is located at the IP address (Turkey Istanbul Radore Veri Merkezi Hizmetleri As / AS197328).

When done, the following files will be located in the C:\Users\Public folder:

  • C:\Users\Public\conlhost.exe – The ransomware executable
  • C:\Users\Public\files –  The list of encrypted files
  • C:\Users\Public\FILES_BACK.txt – An alternative method to contact the ransomware developer.
  • C:\Users\Public\testdecrypt – A list of files that can be decrypted for free.
  • C:\Users\Public\time.e – The timestamp of when the ransomware encrypted your files.

The ransomware lock screen is broken up into four different windows. The first window is main lock screen, as shown above, and displays the ransom note and bitcoin address that payment should be sent to. The second screen allows you to perform a test decryption on three to five files.

Test Decryption Screen
Test Decryption Screen

The third screen displays a list of all encrypted files.

Encrypted files list
Encrypted files list

The fourth screen provides information on how to pay the ransom.

How to pay
How to Pay

At this time there is no way to decrypt the files for free, but if anything changes I will be sure to update this article.

Files associated with 7ev3n-HONE$T:


Registry entries associated with 7ev3n-HONE$T:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper    C:\users\Public\conlhost.exe
HKCU\Software\crypted    1
HKCU\Software\testdecrypt    1