FHKF ransomware seeks to encrypt all of your files for a ransom
- FHKF ransomware seeks to encrypt all of your files for a ransom
- Learn common ransomware attack vectors
- How FHKF ransomware operates
- Remove FHKF Ransomware Virus and Recover Your Files
- Decrypt FHKF files
- Frequently Asked Questions
FHKF ransomware is a new computer virus variant assigned to the infamous STOP/DJVU ransomware family. This virus aims to encrypt all data on the infected computer system in order to prevent user’s access to them. While encrypting files, the ransomware assigns a new .fhkf extension to original filenames. As a consequence, a file originally named as 1.jpg appears as 1.jpg.fhkf after the attack. In addition, this malicious program drops _readme.txt notes in every affected data folder. This note is meant to deliver a message from ransomware operators, who suggest that paying a ransom is the only way to access FHKF file decryption tool.
According to information stated in _readme.txt ransom note, all victim’s data such as documents, audio and video files, images and other important data was encrypted with strongest encryption algorithms. The way the encryption works can be explained shortly as this: victim’s files are encrypted using Salsa20 encryption, which is then additionally secured with RSA-2048 master public key.
The only way to recover files back to their original state is to use a decryption tool and private decryption key matching the encryption key, however, the private key is held by the cybercriminals. Without it, there is no way to recover data except of data backups. In some cases, certain data formats can be repaired. Data recovery may also be possible in the future in case offline encryption type was used, however, you can find more information on this in the latter section of this article.
The criminals suggest that the easiest way to recover your files is to pay a ransom, which depends on how quickly you get in touch with the attackers. The ransom note (_readme.txt) provides two email addresses that belong to cybercriminals: firstname.lastname@example.org and email@example.com. According to the note, the price of decryption tools would be set to $490 if the computer user writes to the provided emails within 72 hours (3 days). In case of any delay, the price would be set to $980.
When the victim contacts the criminals via provided emails, further instructions will be provided. The attackers won’t accept any form of direct money transfer to avoid getting tracked down. The only payment form that they approve is via virtual currency, for example, Bitcoin. Therefore, they will suggest purchasing an equivalent amount in Bitcoin and transferring it to provided wallet address. To encourage the victim to pay the ransom, the crooks also suggest sending one small encrypted file that doesn’t contain any valuable data for test decryption. They promise to provide a decrypted version in their email reply.
However, our team of experts recommend following FBI’s advisory regarding ransom payments, which simply recommends to avoid paying ransoms to cybercriminals. First of all, paying a ransom doesn’t guarantee data recovery; secondly, you will be identified as a victim who is willing to pay up, and become a target for further attacks. Next, funding cybercriminals’ operations is not a good idea as it simply keeps the ransomware cycle running. Finally, you should know that versions of STOP/DJVU ransomware are known to drop VIDAR Trojan on compromised systems, which can be used to steal sensitive data such as your passwords, cryptocurrency wallets, cookies, browsing history and other private information that can be used to blackmail you further.
If you have fallen victim to a ransomware attack, we recommend you to take action to secure your computer as soon as possible. This specific malware leaves a lot of traces and Windows Registry modifications which complicates the manual removal procedure; for this reason, we recommend you to remove FHKF ransomware virus using a robust antivirus after booting your PC in Safe Mode with Networking. You can find a free tutorial on how to perform the malware removal below this article. In case you do not have an antivirus software yet, we’d like to recommend INTEGO Antivirus, which is an excellent security software that scores top ratings in independent AV Lab tests. Moreover, we suggest downloading RESTORO if you want to repair virus damage on Windows OS files.
|Name||FHKF Ransomware Virus|
|Type||Ransomware; Crypto-malware; Virtual Extortion Virus|
|Encryption type||RSA 2048 + Salsa20|
|Previous versions||EGFG, BBNM, IFLA, KRUU, BYYA, ERRZ, DFWE (find full list here)|
|Cybercriminal firstname.lastname@example.org, email@example.com|
|Additional malware dropped||Azorult or Vidar Trojan|
|Damage||This ransomware variant uses robust encryption algorithms to lock victim’s files, additionally marking them with an .fhkf extension. The virus also leaves _readme.txt ransom notes in every infected data folder. The ransomware tends to compromise the computer with the VIDAR Stealer. Volume Shadow Copies will also be deleted to prevent victim’s access to previously created System Restore Points. Some versions of this ransomware may also alter Windows HOSTS file to block access to a specific cybersecurity-related domains.|
|Ransom demand||$490-$980 in Bitcoin|
|Distribution||Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.|
|Known software cracks to contain this malware||Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends.|
|Detection names||Ransom:Win32/StopCrypt.MK!MTB (Microsoft), Win32:CrypterX-gen [Trj] (AVG), Trojan.MalPack.GS (Malwarebytes), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky) see all detection name variations on VirusTotal|
|Removal||Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.|
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Learn common ransomware attack vectors
In order to avoid getting infected with ransomware, it is important to understand how these computer viruses and malware in general, are distributed. In this section, we will explain common STOP/DJVU ransomware (including FHKF virus) attack vectors and techniques used by other ransomware strains.
Almost all variants of STOP/DJVU ransomware hide in illegal software downloads. To be specific, you should avoid pirated software altogether. If you have a bad habit of searching for software cracks, full free versions available for quick download, then you risk exposing your computer to severe infections, because the majority of these downloads are filled either with Trojans, stealers or ransomware.
Often times, these can be downloaded via torrent agents, although some of these programs are offered by scam websites suggesting to download the software in archived formats (such as .zip or .rar). These often require entering a provided password. However, after opening such download, most likely you won’t access your desired program. In the meantime, the malware hidden in the fake setup will connect to remote malicious domains and drop series of files on your computer, execute additional processes and prepare for complete computer infection.
Victims who were affected by this ransomware explain that they were searching for software cracks online. Some of the programs they were looking to get activated for free (illegally) were:
- Adobe Photoshop;
- Microsoft Office;
- VMware Workstation;
- Tenorshare 4MeKey;
- Corel Draw;
- Fifa 20;
- Adobe Illustrator;
- Opera browser;
- League of Legends;
- Internet Download Manager;
- KMSPico (illegal Windows activation tool).
Our advice is to avoid pirated software versions at all costs. Remember that cybercriminals often do not even have the actual crack, but provide malware installers named as setups. For this reason, you should remember that the only way to get secure software versions is to visit reputable and confirmed partner websites or the official software developer’s site. Besides, the cost of the actual software license is often much lower than hefty ransom amounts demanded by cybercriminals. Moreover, legitimate software versions won’t fill your computer with information-stealing Trojans.
Another ransomware distribution technique that is very common is malicious email spam. The criminals compose convincing messages, often pretending to be someone from a well-known company, and attach some files to the email. These files hide malicious scripts used to download and activate the ransomware on your computer. Therefore, we advise you to inspect the email and ensure that it comes from a trusted entity and not an imposer before clicking on attached files or links. Remember that cybercriminals often use email spoofing techniques to masquerade the original sender’s email address and make it look like it came from a reliable source.
Ransomware can also hide in deceptive online ads suggesting to update well-known software such as JAVA. The scammers may also advertise updates for other well-known programs, for example, various antivirus brands. The fake installer will compromise your computer, so we suggest that you only look for software updates on official software developers’ sites or via the software installed on your computer (it typically provides options to check for available updates).
Finally, STOP/DJVU ransomware victims should avoid downloading suspicious decryption tools from rogue websites. It has been noticed that ZORAB ransomware operators distribute fake STOP/DJVU decryptor which hides another ransomware strain. If you accidentally download such tool, your files will get double-encrypted.
How FHKF ransomware operates
This ransomware typically operates under its main process name that consists of 4 random characters, for example, 2B0F.exe. In addition to it, the ransomware downloads several helper processes, the main of them being called build.exe and build2.exe. In certain cases, this ransomware showcases a fake Windows update prompt (winupdate.exe) for the computer user. We believe this prompt was designed to deceive the computer user that the system is undergoing some essential updates, while at the same time the ransomware does its job and encrypts all files.
The build.exe process then connects to https[:]//api.2ip.ua/geo.json domain to fetch computer’s geolocation and saves this information into geo.json file. This file contains computer’s IP, country code, country name, region, city, longitude, latitude, zip code and other details. You can see a screenshot of geo.json file below.
It appears that this ransomware is set to stop its operations in case specific country codes are detected. In other words, the malware won’t encrypt data on several countries, including Russia, Tajikistan, Syria, Belarus, Ukraine, Uzbekistan, Armenia, Kazachstan, and Kyrgyzstan. Otherwise, it proceeds with the operation.
The virus additionally takes a screenshot of victim’s desktop and creates information.txt file with data about the compromised computer, such as: computer name, user name, machineID, Windows version, hardware information, list of installed software and active processes. Such details along the screenshot and geo.json file will be sent to criminals’ Command&Control server.
See an example of information.txt file down below.
Next, the ransomware executable requests a unique online encryption key and victim’s ID from its server. The response is then saved to bowsakkdestx.txt file. The ID will also be separately saved into PersonalID.txt file. At this point, it is important to mention that if the ransomware succeeds to obtain online encryption key for the victim, this leaves almost no chances to recover your files without a data backup. In case the malware fails to establish connection with its server, it reverts to offline encryption mode, which means that the virus uses a hardcoded offline encryption key. This key will be identical to all “offline encryption” victims – therefore, in certain cases, these victims can expect to recover their files for free in the future. You can read more on this here.
The easiest way to identify whether you’re affected by offline encryption is opening C:\SystemID\PersonalID.txt file and looking at the last two characters in the ID. If these are t1, it means offline encryption was used.
See a screenshot of bowsakkdestx.txt and PersonalID.txt below.
The ransomware then begins scanning all computer folders and encrypting files found in them. The virus uses Salsa20 matrix, which is based on a universally unique identifier (UUID) generated via UuidCreateAPI, which is later encrypted using the aforementioned online or offline encryption RSA-2048-bit key. During encryption procedure, the ransomware also marks affected files with .fhkf extension. You can see a screenshot of affected files down below.
The virus also drops an instance of _readme.txt note in every folder. You can see contents of it in the image presented below.
Some variants of STOP/DJVU delete Volume Shadow Copies from the system via the following Command Prompt task:
vssadmin.exe Delete Shadows /All /Quiet
Additionally, some variants of this ransomware are known to modify Windows HOSTS file. The virus uploads a list of websites to it, mostly those cybersecurity-related, and maps them to localhost IP. As a consequence, the victim will run into DNS_PROBE_FINISHED_NXDOMAIN error when trying to access them. It is believed that ransomware operators try to block victim’s way to access relevant attack-related information sources online.
Remove FHKF Ransomware Virus and Recover Your Files
Computer users infected with this critical malware should not hesitate and take action to remove FHKF ransomware virus along with additional threats it installed as quickly as possible. The first step is to boot the computer in Safe Mode with Networking, which starts the computer with essential features only (it helps to deactivate malware processes that might try to interfere with your security software). Then you should run a complete system scan using a trustworthy antivirus solution. If you do not have one, our team typically relies on INTEGO Antivirus. You can find its review here.
As an additional measure, we recommend downloading this tool – RESTORO and running a scan with it. The full version of this software can repair virus-infected or damaged Windows OS files without the need to reinstall the operating system.
Lastly, we recommend reporting this cybercrime incident to local law enforcement agencies. Speaking of data recovery, please check if you have data backups. Use them only after FHKF virus removal is complete. If you do not have a backup, then this tutorial regarding possible ways to decrypt/repair STOP/DJVU encrypted files should come in handy for you. Finally, our experts recommend changing all of your passwords associated with the infected machine (such as browser-saved passwords, login credentials for software accounts, etc.). Finally, do not forget to keep your antivirus software up-to-date by enabling automatic updates and ensure that real-time protection is always on.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:
REPAIR VIRUS DAMAGE TO YOUR COMPUTER
RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.
RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.
Read full review here.
FHKF Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove FHKF Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove FHKF Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt FHKF files
Fix and open large FHKF files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the FHKF extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. FHKF Ransomware Virus is considered the new STOP/DJVU variant, just like EGFG, BBNM, IFLA, KRUU, BYYA, ERRZ, DFWE (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt FHKF files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
- Click Decrypt to start restoring FHKF files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The FHKF decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your FHKF extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of FHKF Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open FHKF files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official FHKF decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake FHKF decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.