Remove Heimdall Ransomware

How to Remove Heimdall Ransomware?

It’s hard to tell if hackers are fascinated with Norse mythology or just Marvel comics. There were Locky, Thor, Odin and now Heimdall. Whatever hackers’ source of inspiration is, its results are devastating. Not a long time ago the Web was full of adware and PUPs. Not anymore. The future of cyber infections is called ransomware. This is also the most aggressive, misleading, unfair and dangerous program online. To say the least, you’ve been quite unlucky to download the Heimdall Ransomware. This infection is quite different from what we’re used to seeing. It was created using the PHP programming language. Immediately after installation, the virus scans your machine. As a result, it locates ALL YOUR FILES. Yes, all of them. While Locky, for example, is much more refined, it only encrypts some file formats. The less sophisticated Heimdall Ransomware locks everything. Every picture, video, document or music file you’ve stored on board. Do you now see why this infection is so immensely dreaded? There’s a reason why most PC users cringe when ransomware is mentioned. The Heimdall Virus goes after your private data. It uses AES-128 CBC algorithm to encrypt your files. As mentioned, it doesn’t spare any file format. That could easily cause you harm because the target files are no longer accessible. They aren’t deleted, though. Heimdall copies them and deletes the originals. What you’re left with it are the encrypted, modified, unusable copies. How could you tell which file is locked? By its extension. The parasite will rename your encrypted data. Hence, if you notice the .heimdall extension, this is it. Your information is now effectively locked and unreadable. Heimdall Ransomware was originally intended to serve educational purpose. Unfortunately, it’s gotten out of hand and now poses a huge threat to your safety. The virus replaces your desktop wallpaper with an image of Heimdall himself. It also provides an email address with the incredible name Why would you need this email address? To contact hackers. Ransomware is nothing but a cheap attempt for a cyber fraud. That means it locked your files for one very simple reason. To blackmail you. Are you willing to get scammed? If not, ignore the parasite’s aggravating ransom notes. Hackers demand 2 Bitcoins (1433 USD) in exchange for a decryptor. In reality, though, they never deliver.

How did I get infected with?

Ransomware is sneaky beyond belief. It only needs one single careless move online to get installed. As you can tell, these infections cause a true mess on board. To get spread, they use a great variety of infiltration tricks. The most popular one involves spam messages/emails. Our advice for you is to delete suspicious emails. There might be a vicious intruder lurking behind it. If you open the corrupted email, you let the parasite loose. Simple as that. What you must keep in mind is to prevent infiltration. Having to uninstall malware afterward is both time-consuming and problematic. Beware of spam email-attachments and never underestimate hackers’ creativity. Ransomware sometimes uses the help of other infections. For example, Trojan horses. Check out your PC for more viruses because Heimdall might be having company. You should also stay away from illegitimate websites/software/torrents. Last but not least, Heimdall might have sneaked onto your device via some exploit kit. To sum up, infections are extremely cunning and stealthy. Make sure you protect your computer from undesirable surprises.

remove Heimdall

Why is Heimdall dangerous?

Being a typical ransomware-type virus, Heimdall is very harmful. This pest aims directly at your bank account. By encrypting your data, the ransomware starts playing mind games with you. It displays a questionable ransom message according to which you must make a payment. You most certainly must not, though. Giving hackers your Bitcoins will not solve the problem and you know it. Ignore their nasty trickery and don’t make a deal with crooks. If anything, complying will only make matters worse. You may end up with your files still locked and your money gone. Do the right thing concerning your security. Cyber criminals aren’t popular for following the rules, even the rules they invent. Paying the ransom guarantees you nothing. What you should do is tackle Heimdall Ransomware and uninstall it for good. To do so manually, please follow our comprehensive removal guide down below.

Heimdall Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Heimdall Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Heimdall encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Heimdall encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment