Question Unknown ransomware - .dthnrHygS extension (Session messenger note)

Please provide comments and solutions that are helpful to the author of this topic.
matei33m

matei33m

New Member
Thread author
Oct 7, 2025
3
9
3
Hi everyone,

I'm investigating a new ransomware variant that uses the extension **.dthnrHygS** and drops a ransom note **dthnrHygS.README.txt** asking to contact the attacker via Session messenger.

ID-Ransomware result: *Unable to determine ransomware*
Case SHA1: d2a6099346974562db621178f98644e7f8bb241d
Victim ID (from ransom note): 030A2816BD66AFCCF0FFBA6D060B3AA6

Files are encrypted (entropy ~7.8, consistent with AES), but ZIP archives were not actually encrypted — the attacker only changed the extension (`.zip.dthnrHygS`), and I was able to open and read them (original files inside are intact).
For regular files (HTML, CSS, etc.), the data is encrypted.

I already opened a detailed thread on BleepingComputer with full analysis, file hashes, and samples:
👉 Unknown ransomware - .dthnrHygS extension (Session messenger note) - Ransomware Help & Tech Support

If anyone from the community or MalwareHunterTeam has seen this variant or has similar reports, please let me know.
Any identification or decryptor information would be greatly appreciated.

Thank you.
 
  • Like
Reactions: Zero Knowledge, Sorrento and Khushal
matei33m said:
Hi everyone,

I'm investigating a new ransomware variant that uses the extension **.dthnrHygS** and drops a ransom note **dthnrHygS.README.txt** asking to contact the attacker via Session messenger.

ID-Ransomware result: *Unable to determine ransomware*
Case SHA1: d2a6099346974562db621178f98644e7f8bb241d
Victim ID (from ransom note): 030A2816BD66AFCCF0FFBA6D060B3AA6

Files are encrypted (entropy ~7.8, consistent with AES), but ZIP archives were not actually encrypted — the attacker only changed the extension (`.zip.dthnrHygS`), and I was able to open and read them (original files inside are intact).
For regular files (HTML, CSS, etc.), the data is encrypted.

I already opened a detailed thread on BleepingComputer with full analysis, file hashes, and samples:
👉 Unknown ransomware - .dthnrHygS extension (Session messenger note) - Ransomware Help & Tech Support

If anyone from the community or MalwareHunterTeam has seen this variant or has similar reports, please let me know.
Any identification or decryptor information would be greatly appreciated.

Thank you.
Click to expand...
Hi matei33m,

Thanks for sharing this detailed report—it's always helpful when folks like you dive in and provide specifics like the extension, ransom note, and that Victim ID. Sounds like a potentially new or lesser-known variant, especially since ID-Ransomware couldn't pin it down. The fact that ZIP files weren't actually encrypted (just renamed) is an interesting wrinkle—I've seen that in some amateurish ransomware attempts where the encryption routine skips certain formats or fails on archives.

I haven't come across this exact .dthnrHygS extension in recent discussions here on MalwareTips, but I'll keep an eye out and ping the MalwareHunterTeam folks if something rings a bell. In the meantime, if you haven't already:

  • Make sure you've isolated the infected system and backed up any unencrypted data to a clean external drive.
  • Avoid paying the ransom if possible—it's risky and funds more attacks.
  • Check out resources like the No More Ransom Project for potential decryptors, though it might not have this one yet.

Your thread on BleepingComputer looks solid; hopefully, someone there or here spots a match. If you upload any safe samples (like the ransom note) to VirusTotal or similar, feel free to share the links—we can take a look.

Let us know if there's anything else the community can help with!
 
  • Like
Reactions: Khushal
Adrian Ścibor said:
Hi,

If you could share SHA2 we can search our database.
Click to expand...
Sure, here are the SHA256 hashes I computed:
dthnrHygS.README.txt
→ d8e7bf761a97d3db14ab71c0751515d82d9ef299a44e5efee30b31ed846565d2
index.html.dthnrHygS
→ 0015bbe449ad34878e59ef962f4a556cdba1b78b38a6ebb4ff29261b15655139
proiect-html-css.zip.dthnrHygS
→ 6b9a9b8be71adaa32cf69ff3ce0473305be156228fec8dd93d581a16c1a13367
 
  • Like
Reactions: Jonny Quest, Sorrento and Khushal
Quick update from the parallel thread on BleepingComputer:
Rivitna (from the official ransomware response team there) has confirmed that my files are encrypted using **LockBit 3.0 (Black)** ransomware.
So, this is not a new family but a customized build of LockBit Black — the attackers used a different extension (.dthnrHygS) and a Session messenger contact instead of the usual Tor portal.
At the moment, there is **no public decryptor** for LockBit 3 / Black, since it uses strong hybrid encryption (AES + RSA).
Interestingly, in my case, ZIP archives were only renamed (not actually encrypted) — they still open normally, which might indicate a builder misconfiguration or partial encryption. All standalone files (HTML, CSS, etc.) are fully encrypted.
If anyone here has seen similar LockBit Black variants (custom extensions + Session contact), please let me know.
Any insight or recovery experience would be appreciated.
 
  • Like
Reactions: Jonny Quest, simmerskool and Khushal
matei33m said:
Quick update from the parallel thread on BleepingComputer:
Rivitna (from the official ransomware response team there) has confirmed that my files are encrypted using **LockBit 3.0 (Black)** ransomware.
So, this is not a new family but a customized build of LockBit Black — the attackers used a different extension (.dthnrHygS) and a Session messenger contact instead of the usual Tor portal.
At the moment, there is **no public decryptor** for LockBit 3 / Black, since it uses strong hybrid encryption (AES + RSA).
Interestingly, in my case, ZIP archives were only renamed (not actually encrypted) — they still open normally, which might indicate a builder misconfiguration or partial encryption. All standalone files (HTML, CSS, etc.) are fully encrypted.
If anyone here has seen similar LockBit Black variants (custom extensions + Session contact), please let me know.
Any insight or recovery experience would be appreciated.
Click to expand...
LockBit 3.0 shares code similarities with the BlackMatter ransomware family, using similar encryption, process termination, and privilege escalation techniques.
I have pmed u on BP
 
  • Like
Reactions: matei33m, Jonny Quest, simmerskool and 1 other person
matei33m said:
Sure, here are the SHA256 hashes I computed:
dthnrHygS.README.txt
→ d8e7bf761a97d3db14ab71c0751515d82d9ef299a44e5efee30b31ed846565d2
index.html.dthnrHygS
→ 0015bbe449ad34878e59ef962f4a556cdba1b78b38a6ebb4ff29261b15655139
proiect-html-css.zip.dthnrHygS
→ 6b9a9b8be71adaa32cf69ff3ce0473305be156228fec8dd93d581a16c1a13367
Click to expand...
These files and their SHA2 are not malicious or peace of the malware, just encrypted user-files only (and SHA2 calculated)
 
  • Like
Reactions: Jonny Quest, simmerskool, Sorrento and 2 others

You may also like...