Contents
FHKF ransomware is a new computer virus variant assigned to the infamous STOP/DJVU ransomware family. This virus aims to encrypt all data on the infected computer system in order to prevent user’s access to them. While encrypting files, the ransomware assigns a new .fhkf extension to original filenames. As a consequence, a file originally named as 1.jpg appears as 1.jpg.fhkf after the attack. In addition, this malicious program drops _readme.txt notes in every affected data folder. This note is meant to deliver a message from ransomware operators, who suggest that paying a ransom is the only way to access FHKF file decryption tool.
According to information stated in _readme.txt ransom note, all victim’s data such as documents, audio and video files, images and other important data was encrypted with strongest encryption algorithms. The way the encryption works can be explained shortly as this: victim’s files are encrypted using Salsa20 encryption, which is then additionally secured with RSA-2048 master public key.
The only way to recover files back to their original state is to use a decryption tool and private decryption key matching the encryption key, however, the private key is held by the cybercriminals. Without it, there is no way to recover data except of data backups. In some cases, certain data formats can be repaired. Data recovery may also be possible in the future in case offline encryption type was used, however, you can find more information on this in the latter section of this article.
The criminals suggest that the easiest way to recover your files is to pay a ransom, which depends on how quickly you get in touch with the attackers. The ransom note (_readme.txt) provides two email addresses that belong to cybercriminals: support@sysmail.ch and helprestoremanager@airmail.cc. According to the note, the price of decryption tools would be set to $490 if the computer user writes to the provided emails within 72 hours (3 days). In case of any delay, the price would be set to $980.
When the victim contacts the criminals via provided emails, further instructions will be provided. The attackers won’t accept any form of direct money transfer to avoid getting tracked down. The only payment form that they approve is via virtual currency, for example, Bitcoin. Therefore, they will suggest purchasing an equivalent amount in Bitcoin and transferring it to provided wallet address. To encourage the victim to pay the ransom, the crooks also suggest sending one small encrypted file that doesn’t contain any valuable data for test decryption. They promise to provide a decrypted version in their email reply.
However, our team of experts recommend following FBI’s advisory regarding ransom payments, which simply recommends to avoid paying ransoms to cybercriminals. First of all, paying a ransom doesn’t guarantee data recovery; secondly, you will be identified as a victim who is willing to pay up, and become a target for further attacks. Next, funding cybercriminals’ operations is not a good idea as it simply keeps the ransomware cycle running. Finally, you should know that versions of STOP/DJVU ransomware are known to drop VIDAR Trojan on compromised systems, which can be used to steal sensitive data such as your passwords, cryptocurrency wallets, cookies, browsing history and other private information that can be used to blackmail you further.
If you have fallen victim to a ransomware attack, we recommend you to take action to secure your computer as soon as possible. This specific malware leaves a lot of traces and Windows Registry modifications which complicates the manual removal procedure; for this reason, we recommend you to remove FHKF ransomware virus using a robust antivirus after booting your PC in Safe Mode with Networking. You can find a free tutorial on how to perform the malware removal below this article. In case you do not have an antivirus software yet, we’d like to recommend INTEGO Antivirus, which is an excellent security software that scores top ratings in independent AV Lab tests. Moreover, we suggest downloading RESTORO if you want to repair virus damage on Windows OS files.
Name | FHKF Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA 2048 + Salsa20 |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 375th |
Extension | .fhkf |
Cybercriminal emails | support@sysmail.ch, helprestoremanager@airmail.cc |
Additional malware dropped | Azorult or Vidar Trojan |
Damage | This ransomware variant uses robust encryption algorithms to lock victim’s files, additionally marking them with an .fhkf extension. The virus also leaves _readme.txt ransom notes in every infected data folder. The ransomware tends to compromise the computer with the VIDAR Stealer. Volume Shadow Copies will also be deleted to prevent victim’s access to previously created System Restore Points. Some versions of this ransomware may also alter Windows HOSTS file to block access to a specific cybersecurity-related domains. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
Detection names | Ransom:Win32/StopCrypt.MK!MTB (Microsoft), Win32:CrypterX-gen [Trj] (AVG), Trojan.MalPack.GS (Malwarebytes), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
In order to avoid getting infected with ransomware, it is important to understand how these computer viruses and malware in general, are distributed. In this section, we will explain common STOP/DJVU ransomware (including FHKF virus) attack vectors and techniques used by other ransomware strains.
Almost all variants of STOP/DJVU ransomware hide in illegal software downloads. To be specific, you should avoid pirated software altogether. If you have a bad habit of searching for software cracks, full free versions available for quick download, then you risk exposing your computer to severe infections, because the majority of these downloads are filled either with Trojans, stealers or ransomware.
Often times, these can be downloaded via torrent agents, although some of these programs are offered by scam websites suggesting to download the software in archived formats (such as .zip or .rar). These often require entering a provided password. However, after opening such download, most likely you won’t access your desired program. In the meantime, the malware hidden in the fake setup will connect to remote malicious domains and drop series of files on your computer, execute additional processes and prepare for complete computer infection.
Victims who were affected by this ransomware explain that they were searching for software cracks online. Some of the programs they were looking to get activated for free (illegally) were:
Our advice is to avoid pirated software versions at all costs. Remember that cybercriminals often do not even have the actual crack, but provide malware installers named as setups. For this reason, you should remember that the only way to get secure software versions is to visit reputable and confirmed partner websites or the official software developer’s site. Besides, the cost of the actual software license is often much lower than hefty ransom amounts demanded by cybercriminals. Moreover, legitimate software versions won’t fill your computer with information-stealing Trojans.
Another ransomware distribution technique that is very common is malicious email spam. The criminals compose convincing messages, often pretending to be someone from a well-known company, and attach some files to the email. These files hide malicious scripts used to download and activate the ransomware on your computer. Therefore, we advise you to inspect the email and ensure that it comes from a trusted entity and not an imposer before clicking on attached files or links. Remember that cybercriminals often use email spoofing techniques to masquerade the original sender’s email address and make it look like it came from a reliable source.
Ransomware can also hide in deceptive online ads suggesting to update well-known software such as JAVA. The scammers may also advertise updates for other well-known programs, for example, various antivirus brands. The fake installer will compromise your computer, so we suggest that you only look for software updates on official software developers’ sites or via the software installed on your computer (it typically provides options to check for available updates).
Finally, STOP/DJVU ransomware victims should avoid downloading suspicious decryption tools from rogue websites. It has been noticed that ZORAB ransomware operators distribute fake STOP/DJVU decryptor which hides another ransomware strain. If you accidentally download such tool, your files will get double-encrypted.
This ransomware typically operates under its main process name that consists of 4 random characters, for example, 2B0F.exe. In addition to it, the ransomware downloads several helper processes, the main of them being called build.exe and build2.exe. In certain cases, this ransomware showcases a fake Windows update prompt (winupdate.exe) for the computer user. We believe this prompt was designed to deceive the computer user that the system is undergoing some essential updates, while at the same time the ransomware does its job and encrypts all files.
The build.exe process then connects to https[:]//api.2ip.ua/geo.json domain to fetch computer’s geolocation and saves this information into geo.json file. This file contains computer’s IP, country code, country name, region, city, longitude, latitude, zip code and other details. You can see a screenshot of geo.json file below.
It appears that this ransomware is set to stop its operations in case specific country codes are detected. In other words, the malware won’t encrypt data on several countries, including Russia, Tajikistan, Syria, Belarus, Ukraine, Uzbekistan, Armenia, Kazachstan, and Kyrgyzstan. Otherwise, it proceeds with the operation.
The virus additionally takes a screenshot of victim’s desktop and creates information.txt file with data about the compromised computer, such as: computer name, user name, machineID, Windows version, hardware information, list of installed software and active processes. Such details along the screenshot and geo.json file will be sent to criminals’ Command&Control server.
See an example of information.txt file down below.
Next, the ransomware executable requests a unique online encryption key and victim’s ID from its server. The response is then saved to bowsakkdestx.txt file. The ID will also be separately saved into PersonalID.txt file. At this point, it is important to mention that if the ransomware succeeds to obtain online encryption key for the victim, this leaves almost no chances to recover your files without a data backup. In case the malware fails to establish connection with its server, it reverts to offline encryption mode, which means that the virus uses a hardcoded offline encryption key. This key will be identical to all “offline encryption” victims – therefore, in certain cases, these victims can expect to recover their files for free in the future. You can read more on this here.
The easiest way to identify whether you’re affected by offline encryption is opening C:\SystemID\PersonalID.txt file and looking at the last two characters in the ID. If these are t1, it means offline encryption was used.
See a screenshot of bowsakkdestx.txt and PersonalID.txt below.
The ransomware then begins scanning all computer folders and encrypting files found in them. The virus uses Salsa20 matrix, which is based on a universally unique identifier (UUID) generated via UuidCreateAPI, which is later encrypted using the aforementioned online or offline encryption RSA-2048-bit key. During encryption procedure, the ransomware also marks affected files with .fhkf extension. You can see a screenshot of affected files down below.
The virus also drops an instance of _readme.txt note in every folder. You can see contents of it in the image presented below.
Some variants of STOP/DJVU delete Volume Shadow Copies from the system via the following Command Prompt task:
vssadmin.exe Delete Shadows /All /Quiet
Additionally, some variants of this ransomware are known to modify Windows HOSTS file. The virus uploads a list of websites to it, mostly those cybersecurity-related, and maps them to localhost IP. As a consequence, the victim will run into DNS_PROBE_FINISHED_NXDOMAIN error when trying to access them. It is believed that ransomware operators try to block victim’s way to access relevant attack-related information sources online.
Computer users infected with this critical malware should not hesitate and take action to remove FHKF ransomware virus along with additional threats it installed as quickly as possible. The first step is to boot the computer in Safe Mode with Networking, which starts the computer with essential features only (it helps to deactivate malware processes that might try to interfere with your security software). Then you should run a complete system scan using a trustworthy antivirus solution. If you do not have one, our team typically relies on INTEGO Antivirus. You can find its review here.
As an additional measure, we recommend downloading this tool – RESTORO and running a scan with it. The full version of this software can repair virus-infected or damaged Windows OS files without the need to reinstall the operating system.
Lastly, we recommend reporting this cybercrime incident to local law enforcement agencies. Speaking of data recovery, please check if you have data backups. Use them only after FHKF virus removal is complete. If you do not have a backup, then this tutorial regarding possible ways to decrypt/repair STOP/DJVU encrypted files should come in handy for you. Finally, our experts recommend changing all of your passwords associated with the infected machine (such as browser-saved passwords, login credentials for software accounts, etc.). Finally, do not forget to keep your antivirus software up-to-date by enabling automatic updates and ensure that real-time protection is always on.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
FHKF Ransomware Virus Removal Guidelines
Before you try to remove FHKF Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove FHKF Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. FHKF Ransomware Virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt FHKF files, follow the given tutorial.
The FHKF decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your FHKF extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of FHKF Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open FHKF files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official FHKF decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake FHKF decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.