HITOBITO Virus 🔐 (.HITOBITO Files) — How to Remove?

by Brendan Smith
March 21, 2024

The Hitobito virus belongs under the ransomware type of malicious agent. Ransomware of such sort encrypts all user’s data on the computer (images, text files, excel tables, audio files, videos, etc) and appends its own extension to every file, creating the KageNoHitobito_ReadMe.txt text files in every folder with the encrypted files.

This ransomware is a decryptable strain. The decryption key is “Password123”. Please note – further versions of ransomware may have a different decryption key.

What is known about the Hitobito virus?

Hitobito appends its specific .hitobito extension to the name of every encoded file. For instance, a file entitled “photo.jpg” will be renamed to “photo.jpg.hitobito”. Just like the Excel file with the name “table.xlsx” will be altered to “table.xlsx.hitobito”, and so forth.

In each folder with the encrypted files, a KageNoHitobito_ReadMe.txt file will be created. It is a ransom money memo. Therein you can find information about the ways of paying the ransom and some other remarks. The ransom note usually contains a description of how to purchase the decryption tool from the racketeers. You can get this decoding tool after contacting Onion site via email. That is it.

Hitobito Overview:

Name Hitobito Virus
Extension .hitobito
Ransomware note KageNoHitobito_ReadMe.txt
Contact Onion site
Detection Trojan:Win32/Virtumonde.O Virus Removal, TrojanRansom.Stealc Virus Removal, Trojan:Win32/Inject.AL Virus Removal
Symptoms Your files (photos, videos, documents) get a .hitobito extension and you can’t open them.
Fix Tool See If Your System Has Been Affected by Hitobito virus

The KageNoHitobito_ReadMe.txt document coming in package with the Hitobito ransomware states the following:

Ooops, your files have been encrypted by Kage No Hitobito Group!


All your important files and documents have been encrypted by us.


Step 1:
On your current desktop, open up your default browser.
Search for Tor Browser or visit hxxps://www.torproject.org/
If you cannot access Tor then use a VPN to get it instead.
Then download to the Tor Browser and follow Step 2.


Step 2:
Navigate to the group chat and select \'Hitobito\' from the username list.
Message with your situation and the price you are willing to pay for your files.
hxxp://notbumpz34bgbz4yfdigxvd6vzwtxc3zpt5imukgl6bvip2nikdmdaad.onion/chat/
If you do not know how to private messasge, ask the chat, they are usually friendly.
Though we advise you not to click links or follow any discussion they talk of.


Step 3: This is the important part, the one where you restore your computer quickly.
If you negotiate correctly and pay our ransom, we will send you a decryptor.
Reminder that \'Hitobito\' can be impersonated or be one of several group members.

In the picture below, you can see what a directory with files encrypted by the Hitobito looks like. Each filename has the “.hitobito” extension added to it.

Hitobito Virus - encrypted .hitobito files

An example of encrypted .hitobito files.

How did Hitobito ransomware end up on my PC?

There are many possible ways of ransomware infiltration.

Nowadays, there are three most popular methods for evil-doers to have ransomware working in your digital environment. These are email spam, Trojan infiltration and peer-to-peer file transfer.

  • Another option for ransom hunters is a Trojan horse model. A Trojan is a program that gets into your machine disguised as something legal. For example, you download an installer for some program you need or an update for some service. But what is unpacked reveals itself a harmful agent that compromises your data. As the installation wizard can have any name and any icon, you have to make sure that you can trust the source of the files you’re downloading. The optimal thing is to use the software developers’ official websites.
  • As for the peer-to-peer networks like torrents or eMule, the danger is that they are even more trust-based than the rest of the Internet. You can never guess what you download until you get it. So you’d better be using trustworthy resources. Also, it is reasonable to scan the folder containing the downloaded files with the antivirus as soon as the downloading is complete.

How do I get rid of ransomware?

It is crucial to inform you that besides encrypting your files, the Hitobito virus will most likely deploy Vidar Stealer on your computer to get access to credentials to various accounts (including cryptocurrency wallets). The mentioned spyware can derive your logins and passwords from your browser’s auto-filling cardfile.

How to avert ransomware attack?

Hitobito ransomware doesn’t have a superpower, so as any similar malware.

You can defend your PC from ransomware attack within three easy steps:

  • Never open any emails from unknown senders with unknown addresses, or with content that has nothing to do with something you are waiting for (how can you win in a money prize draw without even taking part in it?). If the email subject is likely something you are waiting for, check all elements of the questionable letter carefully. A fake email will always have a mistake.
  • Do not use cracked or untrusted software. Trojans are often shared as an element of cracked products, possibly under the guise of “patch” which prevents the license check. Understandably, dubious programs are very hard to tell from trustworthy software, as trojans may also have the functionality you seek. You can try searching for information about this program on the anti-malware forums, but the best solution is not to use such software.

FAQ

🤔 How can I open “.hitobito” files?Are the “.hitobito” files accessible?

Unfortunately, no. You need to decipher the “.hitobito” files first. Then you will be able to open them.

🤔 What should I do to make my files accessible as fast as possible?

Hopefully, you have made a copy of those important files. If not, there is still a function of System Restore but it needs a Restore Point to be previously saved. All other solutions require time.

🤔 What to do if the Hitobito virus has blocked my PC and I can’t get the activation code.

🤔 And what should I do now?

Many of the encoded files might still be at your disposal

  • If you sent or received your critical files through email, you could still download them from your online mailbox.
  • You might have shared photographs or videos with your friends or relatives. Simply ask them to give those images back to you.
  • If you have initially got any of your files from the Web, you can try to do it again.
  • Your messengers, social networks pages, and cloud drives might have all those files too.
  • Maybe you still have the needed files on your old PC, a portable device, mobile, external storage, etc.

USEFUL TIP: You can use file recovery programs1 to get your lost data back since ransomware encodes the copies of your files, removing the authentic ones. In the video below, you can learn how to use PhotoRec for such a recovery, but remember: you won’t be able to do it before you remove the ransomware itself with an anti-malware program.

I need your help to share this article.

It is your turn to help other people. I have written this guide to help people like you. You can use the buttons below to share this on your favorite social media Facebook, Twitter, or Reddit.
Brendan Smith

References

  1. Here are Top 10 Data Recovery Software Of 2024.

About the author

Brendan Smith

Cybersecurity analyst covering malware families, suspicious files, and detection alerts. Brendan focuses on clear explanations of what a warning means, when it may be a false positive, and which cleanup steps are appropriate.

View all posts

Leave a Comment