Halloware – A Deeper Dive

A new strain of ransomware popped up over the weekend: Halloware. We’ve been watching it for a few days to give you the scoop on what it does and how it operates. Let’s get to the most important point quickly:

CryptoDrop stopped this one the first time we saw it, just like we have every piece of ransomware we’ve ever seen. Halloware was able to encrypt 13 files before we stop it, but our Fast Recovery edition restores them in under one second.

Now let’s talk details. Halloware is a little different in that it is basically “ransomware as a service”. For $40, the author (“Luc1F3R”) will provide you with your own ransomware that allows you to [sic] “Create Your Own Ransomware Without Any Knowledge About Coding”. It also claims to “Bypass Every Anti Virus”, but it was certainly no match for CryptoDrop.


Halloware attempts to make a network connection to a server located in Utah. It’s extremely unlikely that the author of this particular piece of ransomware is actually located in the United States – Bleeping Computer guesses that Luc1F3R is likely based in India based on his/her GitHub account information. While this site had more content a few days ago, it appears to be dead now. However, before that happened, we were able to get to the next step of the ransom process.

Unsurprisingly, Halloware attempts to direct victims to a Tor Hidden Service (a.k.a. the “dark web”) to recover their files. The price of getting the decryption key is $150, and the attacker wants that payment in Bitcoin.

The image above is fairly informative about the quality of this particular piece of ransomware: from the missing image to the broken payment link, this is not a well put-together operation. In fact, there’s probably a reason that Luc1F3R is only selling copies for $40 – Halloware crashes frequently.

At the time we put this article together, it doesn’t actually appear to be possible to get your data back from this campaign. The ransom message no longer appears on any of the systems we tested. That means without CryptoDrop, you might be completely out of luck.

We don’t want to help the authors of this ransomware with any tips, but it appears as if our testing was far more extensive than theirs. Halloware can certainly encrypt files on many systems, but its stability varies greatly. Just like the website hints to, it is unlikely that these folks are professional software engineers. That doesn’t mean that it won’t get better with time or that you shouldn’t protect yourself now.

Time will tell if Halloware becomes a real threat. But there’s no need to wait and see – CryptoDrop stops Halloware without any issue. We’ve stopped WannaCry, Scarab, Cerber, and the list goes on and on.

Give us a shot – before the Halloware team gets their act together.

Join us – We Stop Ransomware


3 thoughts on “Halloware – A Deeper Dive”

Leave a Reply

Your email address will not be published. Required fields are marked *