HYFLOCK ransomware is a Windows file-encrypting threat observed adding .locked to files and dropping an HTML ransom note named How to Restore My Files.html. If those two signs appear together, disconnect the affected PC from Ethernet, Wi-Fi, VPN, shared folders, and removable storage. Preserve the note, Victim ID, security alerts, and several encrypted-file copies before cleanup.
Removing HYFLOCK can stop more encryption, but it does not decrypt files that are already locked. Do not rename the files in bulk, contact the attackers from the affected PC, or run a generic “.locked decryptor.” Many unrelated ransomware families reuse that extension, so the note name and other artifacts matter as much as the suffix.
How to identify HYFLOCK ransomware
- Encrypted files: A normal name such as
photo.jpgbecomesphoto.jpg.lockedand no longer opens. - Ransom note: An HTML file named How to Restore My Files.html appears in affected locations.
- Visible note text: The note uses the HYFLOCK name, says files are “secured,” claims HC-128 encryption, and shows a Victim ID.
- Contact flow: The instructions push the victim toward qTox and Tor and apply a 48-hour deadline. Treat those as identification clues, not a safe recovery channel.
- Public sample fingerprint: The currently reported sample uses SHA-256
80c474154b1df816cf513ae978936875b6dd77f47ef6bce78dda83ab1b89525b.
The pair of .locked files and How to Restore My Files.html is much stronger evidence than the extension alone. If the note name, contact method, or file pattern differs, use the extension-identification workflow instead of forcing a HYFLOCK match.
Is this sample proven to be the HYFLOCK RaaS locker?
No public evidence currently proves that the analyzed .locked sample is the encryptor advertised by the broader HYFLOCK ransomware-as-a-service operation. A May 2026 underground recruitment pitch described AES-128-CTR plus RSA-4096, while the sample’s ransom note claims HC-128. Both descriptions come from attacker-controlled text, and neither should be treated as an independent cryptographic audit.
That mismatch does not make the files safe. It means responders should identify the incident from the actual note, extension, hash, detections, and system evidence rather than assuming a family lineage from the shared name. Preserve the original artifacts so an incident responder or trusted identification service can revise the attribution later.
What to do first
- Isolate the affected system. Unplug Ethernet, disable Wi-Fi and VPN, and disconnect shared drives. If a server or NAS is still receiving renamed files, isolate the writing workstation at the switch or file-server session level.
- Keep backups offline. Do not connect an external backup or resume cloud sync while the encryptor, loader, or stolen account may still be active.
- Preserve evidence. Save How to Restore My Files.html, the Victim ID, a few non-sensitive encrypted files, the public sample hash if it matches, security-tool detections, and the approximate first-encryption time. Work with copies.
- Do not test recovery on originals. Renaming
.lockedfiles does not reverse encryption. A tool built for LockFile, PyLocky, LockBit, or another family can damage copies without helping HYFLOCK. - Escalate business incidents. If shared storage, domain accounts, servers, cloud backups, remote access, or regulated data are involved, preserve logs and involve incident response before deleting payloads or rebuilding systems.
Is there a free HYFLOCK decryptor?
As checked on July 16, 2026, the No More Ransom decryption-tools list does not contain HYFLOCK, Hyflock, or HC-128. Treat this as a no-known-public-decryptor case unless a trusted project later identifies the exact sample and publishes a matching tool. The absence of a listing today does not prove that recovery will never become possible.
Use No More Ransom’s Crypto Sheriff or an incident-response provider to identify the family from the note and a small encrypted sample. Upload only the minimum non-sensitive material needed; do not submit private customer, medical, legal, or company files when a harmless test document is available. Avoid sites that promise instant recovery for every .locked file or ask you to download an unsigned “universal decryptor.”
Remove HYFLOCK before you restore files
File recovery and malware removal are separate tasks. The encryptor may be the final visible stage of a longer compromise. A loader, scheduled task, service, remote-access tool, stolen administrator session, or secondary credential stealer may remain and encrypt restored files again.
On a home or small-office Windows PC, keep the machine offline and run a full Gridinsoft Anti-Malware scan to check for the ransomware payload, hidden files, startup entries, scheduled tasks, services, and related malware. Remove confirmed detections, reboot only after evidence is preserved, then scan again before reconnecting backups or shared folders. Follow the post-malware Windows audit if alerts return or security settings keep changing.
If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.
Scan for ransomware leftoversFor a domain workstation, server, or system that handled sensitive credentials, a clean rebuild from trusted media is usually safer than endless manual cleanup. The clean-install USB guide explains how to prepare installation media without trusting the infected PC.
Safe .locked file recovery sequence
- Keep the infected endpoint isolated until cleanup or rebuild is complete.
- Store the note, Victim ID, logs, hash, and several encrypted samples separately.
- Confirm the ransomware family and check only trusted decryptor projects.
- Verify that the backup or version history predates the encryption window and was not reachable by the compromised account.
- Restore a small test folder on a clean system before restoring the full dataset.
- Reset passwords and revoke sessions from a separate clean device when email, VPN, cloud, browser-saved, administrator, or remote-access credentials were exposed.
- Reconnect systems and shares gradually while monitoring for new file renames, suspicious writes, or recurring detections.
If no decryptor or clean backup exists, keep the original encrypted files on offline storage. Cloud version history, snapshots, immutable storage, File History, or copies on disconnected devices may still help, but test every recovery source before overwriting anything. The broader ransomware protection guide covers offline backups and restore testing for future incidents.
FAQ
Can I restore HYFLOCK files by removing .locked?
No. The suffix is only a visible sign. Renaming the file does not reverse its encrypted content and can make later identification harder.
Should I obey the note’s warning not to reboot?
Isolate the system first. In a business incident, preserve volatile evidence and follow the incident responder’s plan before powering down. If a home PC cannot be disconnected and encryption is still spreading, shutting it down may limit damage, but it can also lose memory evidence.
Will Gridinsoft Anti-Malware decrypt .locked files?
No. It can detect and remove active malware, loaders, persistence, and related threats. Decryption depends on the exact ransomware family, the availability of a valid key or decryptor, and clean recovery copies.
Does qTox or the 48-hour deadline prove the attackers can recover files?
No. Those details help identify the note, but attacker-controlled deadlines and contact instructions are pressure tactics. They do not prove that a working decryptor exists or that payment will recover every file.
What if only one folder has .locked files?
Still isolate and scan the system. Partial encryption can mean the process was interrupted, had limited permissions, or reached only a synced folder or network share. Check the note, timestamps, open file-server sessions, and other devices before assuming the incident is contained.
References
- VirusTotal. “File report for SHA-256 80c474154b1df816cf513ae978936875b6dd77f47ef6bce78dda83ab1b89525b.” Google, accessed July 16, 2026. https://www.virustotal.com/gui/file/80c474154b1df816cf513ae978936875b6dd77f47ef6bce78dda83ab1b89525b/detection
- Flare Intelligence. “Ransomware-as-a-Service: LockBit Alumni Launch Competing Programs as Ecosystem Consolidates in Q1 2026.” Flare, June 12, 2026; accessed July 16, 2026. https://flare.io/learn/resources/blog/ransomware-as-a-service-lockbit-alumni-launch-competing-programs-as-ecosystem-co
- Cybersecurity and Infrastructure Security Agency. “#StopRansomware Guide.” CISA, revised October 19, 2023; accessed July 16, 2026. https://www.cisa.gov/resources-tools/resources/stopransomware-guide
- No More Ransom Project. “Decryption Tools and Crypto Sheriff.” Europol and project partners, accessed July 16, 2026. https://www.nomoreransom.org/en/decryption-tools.html

