FacebookTwitterLinkedIn

Los Pollos Hermanos Virus

Also Known As: .HA3 virus
Type: Ransomware
Damage level: Severe

Tomas Meskauskas Written by on (updated)

What is Los Pollos Hermanos?

Cable network AMC’s popular TV series, Breaking Bad, which ended after five successful seasons in 2013, is in the spotlight once again thanks to a group of hackers who have modelled a new ransomware variant after the hit show.

The new malware variant confronts users with a message complete with the Los Pollos Hermanos logo – a fictional fried chicken restaurant featured in the television show. The malware encrypts all files on the infected computer and threatens victims with deletion of all encrypted files unless a ransom is paid.

The ransom, at time of writing, is $1,000 AUD (~$791 USD). Researchers from security firm, Symantec, were the first to discover the new malware and according to an official report released by the company, the Breaking Bad ransomware is currently sweeping Australia and could reach the shores of the United States and other English-speaking countries in the near future.

los pollos hermanos ransomware virus

To round out the Breaking Bad theme, the malware features an email address containing one of the most famous lines from the show – “I am the one who knocks”. Once the demand message has been shown to the victim, the malware automatically redirects the victim to a website providing instructions on how to purchase Bitcoins to pay the ransom.

It appears the malware arrives through a malicious ZIP archive, disseminated using ever-popular social engineering and spam email campaigns that appear to come from well-known businesses. Within the Zip archive, a malicious file called PENALTY.VBS (which is actually VBS.Downloader.Trojan) is executed and the crypto ransomware is downloaded onto the victim’s computer.

Simultaneously, a ‘legitimate' PDF file is opened in an attempt to trick the victim into thinking that the initial ZIP archive was not, in fact, malware.

According to the Symantec report, the malware appears to be relying on components from an open-source penetration testing project that uses Microsoft PowerShell modules – allowing the hackers to run PowerShell scripts on the infected PC to operate the ransomware.

The Los Pollos Hermanos Trojan uses a random AES encryption key, which is then encrypted using an RSA public key. This means victims can only decrypt their files by obtaining the private key from the hackers.

Although there is no current estimate as to the number of PCs infected by the Breaking Bad ransomware, a statement from the FBI indicates that ransomware continues to be a growing problem. In 2013, for instance, ransomware attacks went from 100,000 in the month of January to over 600,000 by December of the same year.

And as this blog reported throughout 2014, new ransomware variations were released on an almost monthly basis. This new variant marks the first notable ransomware of 2015, but the effectiveness of these types of attacks means that it is almost certainly not the last to be released this year.

Protecting your PC from this and other ransomware threats (for example bitcryptor, cryptowall, and cryptolocker) is as simple as keeping the OS and all third-party applications up-to-date and refraining from opening any attachment from an unsolicited source (especially ZIP archives and Word documents).

Once a computer has been infected with this ransomware variant, the only way to retrieve your personal data is by paying the ransom in exchange for the private RSA key, so the best course of action is to avoid infection at all costs.

This ransomware is known to encrypt the following file types:

.ai, .crt, .csv, .db, .doc, .docm, .docx, .dotx, .gif, .jpeg, .jpg, .lnk, .mp3, .msi, .ods, .one, .ost, .p12, .pdf, .pem, .pps, .ppsx, .ppt, .pptx, .psd, .pst, .pub, .rar, .raw, .rtf, .tif, .txt, .vsdx, .wma, .xls, .xlsm, .xlsx, .xml, .zip

Los Pollos Hermanos ransomware payment instructions page:

los pollos hermanos ransom payment page

Los Pollos Hermanos malware demanding a ransom payment to decrypt files:

Los Pollos Hermanos - Your important files have been encrypted: photos, documents, videos, etc. If you want to decrypt your files you must pay the fee of $450 AUD Failure to pay within the specified time will mean you must pay $1000 AUD What does this mean? You must pay $450 AUD in order to have your files decrypted now, or $1000 AUD How do I pay? We have tried to simplify this process as much as possible. By creating your own Bitcoin wallet for you, all you will need to do is contract a friendly Bitcoin exchange and quote your Bitcoin wallet address, they will walk you through the rest. How to purchase Bitcoins? Here you will see a list of Bitcoin sellers, you will need to choose your favored payment method. Alternatively there are private exchangers you can contact to make the payment. NOTE: When speaking with the Bitcoin exchangers its wise not to mention that you are paying for a ransom, they may refuse you.

Note that at time of writing, there were no known tools capable of decrypting files encrypted by Los Pollos Hermanos without paying the ransom (try restoring your files from Shadow copies).

By following this removal guide, you will be able to remove this ransomware from your computer, however, the affected files will remain encrypted. We will update this article as soon as there is more information available regarding decryption of compromised files.

Los Pollos Hermanos ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
 ▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu".

Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with Los Pollos Hermanos. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Los Pollos Hermanos ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Los Pollos Hermanos files.

To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Los Pollos Hermanos are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Los Pollos Hermanos, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

 To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, computer users can use a programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware that artificially implants group policy objects into the registry in order to block rogue programs such as Los Pollos Hermanos.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises such attempts without the need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Los Pollos Hermanos ransomware:

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

How to prevent against infection
New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Top Removal Guides
QR Code
.HA3 virus QR code
Scan this QR code to have an easy access removal guide of .HA3 virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.