Happychoose ransomware

Happychoose ransomware – a new cryptovirus in the Globeimposter ransomware family

Happychoose ransom note

Happychoose ransom note

Happychoose is a dangerous cyber infection that attempts to lock files with .happychoose extension and demand a ransom in exchange for the decryption key. Victims started searching for help to encrypt data attached by this file-encrypting malware[1] at the end of February 2020, thus exposing a new evolving threat. Initially, Happychoose ransomware might seem like a unique piece of crypto-virus, but closer analysis reveals that it’s a member of an infamous GlobeImposter family. Distributed through spam, it attacks random PCs by happening unreadable extensions to files and creating a ransom note named “Decryption INFO.html.” 

Happychoose ransomware virus creates the Decryption INFO.html on every system’s folder that contains files locked with .happychoose extension. The note contains a list of demands and instructions. Cybercriminals encourage victims to contact them asap via [email protected] or [email protected] email. Crooks demand the victim to send an email that contains one locked file and a unique ID code that is provided on the note. The size of the ransom is not indicated. According to the information, it will be revealed only when ransomware developers receive the victim’s ID and evaluate the amount of locked data. 

Name Happychoose
Origin GlobeImposter 2.0 ransomware family
Distribution Unprotected Remote Desktop, spam email attachments, drive-by-download attacks
Symptoms Upon Happychoose infiltration, most of the files present on the target system receive .happychoose file extension. The ransom note “Decryption INFO.html” appears on the desktop. Multiple registries on the system are compromised. The overall system’s performance may diminish significantly. 
Contact e-mail adress [email protected] or [email protected]
Ransom note Decryption INFO.html
File extension .happychoose
Removal The only way to eliminate Happychoose ransomware is to launch AV tool and run a full system scan. Any professional antivirus tool with a powerful detection mechanism is appropriate, though we recommend SpyHunter 5Combo Cleaner or Malwarebytes
Data recovery There are two options – to pay the ransom or use third-party data recovery tools to decrypt corrupted files. Paying the ransom is not recommended in any way. For more information on how to unlock files after Happychoose attack, see the end of the post. 
System’s repair Ransomware can severely damage multiple Windows Registry entries and initiate other disruptive modifications. To fix any system’s damage, use Reimage Reimage Cleaner Intego repair utility. 

Happychoose virus renders a unique cipher to encrypt data on a target computer. The virus runs the cipher by taking advantage of the infected cmd.exe file, as well as other vulnerable Windows Registries. The powerful ransomware scanner is capable of tracking over 34 file types and inject the .happychoose suffix to each of them. The extension may also contain an email address of the developers or other ransom looking codes. Another thing proving the fact that the system has been infected is Html file Decryption INFO. The ransom note states: 



To recover data you need decryptor.

To get the decryptor you should:

Send 1 test image or text file [email protected] or [email protected].

In the letter include YOUR ID (look at the beginning of this document).

We will give you the decrypted file and assign the price for decryption all files

After we send you instruction on how to pay for decrypt and after payment you will receive a decryptor and instructions. We can decrypt one file in quality the evidence that we have the decoder.


Only [email protected] or [email protected] can decrypt your files

Do not trust anyone [email protected] or [email protected]

Do not attempt to remove the program or run the antivirus tools

Attempts to self-decrypting files will result in the loss of your data

Decoders other users are not compatible with your data, because each user’s unique encryption key

Although criminals do not reveal the size of the ransom, it may be assumed that the payment varies from 1 to 10 Bitcoins. Such assumptions are based on its ancestor, GlobeImposter 2.0 requirements. Happychoose encryptor may be a severe problem and money stealer for those who are not used to backup files. Since the decryption for this malicious infection hasn’t been created yet, there’s no other way to get data back except to pay the demanded ransom. Nevertheless, a deal with criminals is always a risk. 

Happychoose ransomware virus information
Happychoose ransomware developers urge victims to contact asap and pay the ransom for the decryption tool

Happychoose ransomware virus information
Happychoose ransomware developers urge victims to contact asap and pay the ransom for the decryption tool

Developers of this cyber infection try to raise people’s fair, claiming that any attempts to decrypt files encrypted by Happychoose ransomware manually may lead to a permanent data loss. Even more, a risk to cause perpetual data lock is the usage of automatic antivirus and recovery solutions. However, there’s no clear evidence that third-party data recovery tools cannot repair damaged files. Therefore, we strongly recommend victims to remove Happychoose with tools like SpyHunter 5Combo Cleaner and then install a reliable data recovery software, which may turn out to deal with ransomware cipher successfully. 

Checking malicious email attachments – a straight way to a ransomware attack

Dieviren.de[2]  and other security experts keep trying to warn Internet users about spam emails, which is by far the most widely used technique to spread various malware and virus types. Cybercriminals keep developing botnets that are later used for massive spam attacks. Such messages are typically filled with infected with ransomware, spyware, trojans, and other viruses. Usually, attackers do research on people’s preferences and make the infected emails look credible and professional. The more legitimate the email looks like, the more recipients are expected to open them. 

Having this in mind, it’s a must to carefully analyze all emails that contain attachments before double-clicking on the file. Look for grammar or type mistakes, check the sender online, and think twice does the email really has any information that is relevant for you. If you are not sure, you’d better not open the attachment. 

In addition to spam, ransomware can be deployed by clicking on the malicious links on unprotected websites or social network messages. Unprotected Remote desktop, as well as drive-by-download attacks, are also among conventional ransomware distribution means. 

Happychoose locks most of the file types
Happychoose is capable of locking most of the file types

Happychoose locks most of the file types
Happychoose is capable of locking most of the file types

We want to stress the fact that GlobeImposter 2.0 ransomware family has been noticed on the landscape in 2019 and is ranking third with 12.57%[3], among other ransomware-type infections. It shows that impostors that are responsible for disseminating Happychoose and GlobeImposter are going on the right way looking from cybercriminal’s perspective. Therefore, to protect your files and PC from severe attacks, take care of a proper system’s security and try to be more suspicious when browsing the Internet. 

Delete Happychoose ransomware pack from the system

Happychoose ransomware virus is currently in an active transmission phase, security forums reveal. If its developers managed to successfully upgrade GlobeImposter 2.0 and release it with a new strength, the prognosis on the infection rate might be saddening. 

The removal of Happychoose may be a tough nut to crack as most of the ransomware are incredibly resistant to detection. This threat may be programmed to block AV tools and other security programs, as well as take care of the complete removal of Windows Shadow Copies. Therefore, you may need the help of professional IT experts to clean the system and get at least some of the files back. 

Anyway, we highly recommend trying an automatic Happychoose removal with a reliable security tool. To bypass AV blockade, boot the system into Safe Mode and run SpyHunter 5Combo Cleaner, Malwarebytes, or an alternative program. You can learn how to do that with the help of the instructions provided below. As for encrypted files, antivirus software will not be able to revert the changes that the ransomware initiate. If you manage to remove Happychoose ransomware successfully, fix Windows Registry damage with Reimage Reimage Cleaner Intego utility and then give a chance for third-party data recovery tools. You can find several useful decryption methods below. 

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Happychoose using Safe Mode with Networking

If it is not possible to remove the Happychoose virus because it blocks AV tools, try rebooting the system into Safe Mode with networking and running security software.

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Happychoose removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Happychoose using System Restore

Upon successful malware removal try alternative means to restore the files. Open System Restore feature and recover at least a part of corrupted data.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Happychoose from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Happychoose, you can use several methods to restore them:

Data Recovery Pro – a powerful utility to crack ransomware encryption algorythm

Data Recovery Pro is a powerful data recovery tool, which is capable of restoring files lost after the system’s crash, as well as a ransomware infection. to give the tool a try, follow these steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Happychoose ransomware;
  • Restore them.

Take advantage of Windows Previous Versions

Files encrypted by Happychoose ransomware can be recovered by enabling the Previous Windows version feature. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Happychoose and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-05-19 at 05:24 and is filed under Ransomware, Viruses.