Remove HHEO Ransomware Virus (DECRYPT .hheo FILES)

remove HHEO ransomware virus and learn how to decrypt or repair files with .hheo extension (free guide)

HHEO Ransomware Virus Emergence & Why You Should Stay Safe

Contents

HHEO Ransomware Virus Emergence & Why You Should Stay Safe
How Computer Users Can Effectively Prevent STOP/DJVU Ransomware Virus
How to Get Rid Of HHEO Ransomware Virus & Restore Files
Decrypt HHEO files
Frequently Asked Questions

HHEO ransomware is one of the latest computer virus versions distributed by the cybercriminal gang that’s responsible for STOP/DJVU ransomware attacks. Once the virus infects a computer system, it will commence encryption by whereby it renders all data contained in the computer unreadable. After encrypting every file, it would append .hheo extension to each of them as a form of identification. For example, random files already stored in the computer with names like 1.jpg and 2.jpeg would be transformed to 1.jpg.hheo and 2.jpeg.hheo respectively after the encryption. Victims should note that affected files will include documents, pictures, and videos. All these files could be affected at once makes this ransomware virus extremely disruptive and should be avoided at all costs.

This malware is believed to have been embedded in diverse cloned software contents and a significant number is already in circulation, especially in online torrent platforms and other distribution channels.

The aim of this computer threat is to demand ransoms

Nevertheless, while the malware attack is still going on, the cybercriminals behind it would also forward ransom messages known as _readme.txt. These messages would inform the victim about what has occurred and what they’re expected to do in compliance with them. They will claim that a very strong algorithm was used in the process, making it impossible for the victim to restore the encrypted file without their permission. However, they must pay a ransom fee before they forward the decryption tools.

At this point, the victim would have come to terms with the loss of vital documents and may be desperately seeking for how to recover them. Based on experience, the cybercriminals already know the victim would be anxiously seeking for a way out. So, they would send across two email addresses: support@bestyourmail.ch and supportsys@airmail.cc and would it appear like help could come by merely writing to them.

However, if the victim takes the bait and sends them an email using either of the two email addresses, they would respond by stating that ransom fee must be paid before they could send across a decryption tool. Initially, they would put the ransom fee at $980 and add that only half of it would be accepted provided the victim can pay ASAP and not exceed 72 hours after being informed to do so. They would also warn that once it exceeds 3 days without receiving the payment, they would nullify the price slash and insist on the full ransom fee.

As if all that isn’t enough challenge already, they would also insist that ransom payment can only be made via cryptocurrency transfer. For obvious reasons, they prohibit the use of money transfer, direct bank payment, or various other conventional methods of payment. They consider the use of crypto as a safe haven since their physical address or personal identities remain hidden.

To assure the victim that they possess the skill to retrieve the encrypted files, they may suggest that victim should forward excerpts of it to them for test decryption. However, they would also add a caveat that returning the decrypted copy would be at their discretion, depending on whether they consider the content as useful to the victim or not. What they’re trying to do here is just to give themselves room for maneuver since they have no intention of returning the excerpts.

However, there is a general consensus that victims shouldn’t pay ransom to cybercriminals no matter the pressure they put on their victims. In actual sense, victims are advised not to communicate with them in the first place. This recommendation is supported by the FBI and other reputable cyber security organizations. Stated below are some of the points they considered before arriving at their conclusion:

It doesn’t make sense to pay huge sums of money to cybercriminals since there is no guarantee they will restore your encrypted files.
Based on existing laws, it is an offense to pay ransom to cybercriminals.
You will be making yourself vulnerable to future attacks by cybercriminals because they often seek for ways to extort more money from paying victims.
When you pay ransom to cybercriminals, your funds will help them to expand and cause more problems to computer users.

More about this specific computer virus

Although the group of cybercriminals behind STOP/DJVU ransomware virus operates globally, there are selected countries they designated as “protected from cyber-attack”. They are listed as follows: Russia, Belarus, Uzbekistan, Kazachstan, Ukraine, Syria, Tajikistan, Armenia and Kyrgyzstan. It is not clearly understood why they decided to exempt these countries. However, if HHEO ransomware virus infects a computer system, the initial action it will take is to unravel its geo-location. This will be done by connecting to https[:]//api.2ip.ua/geo.json. The next action would be to forward the result to geo.json file. This is where vital pieces of information such as country, city, IP address, and zip code, as well as longitude and latitude. These steps would help it conclude whether the computer’s data should be encrypted or not, depending on its geo-location.

Granted that more emphasis is being directed at the problems that could emanate from HHEO ransomware, yet it is by no means the only risk factor. Cybercriminals behind the STOP/DJVU ransomware virus often embed other Trojans alongside the primary malware. Generally known as Remote Access Trojans or RAT’s, they can covertly infiltrate a computer and be used in extracting other important pieces of information like passwords, banking details, cryptocurrency wallets, software login credentials, and browsing history among others. Such covert operations and extraction of sensitive are what makes the RAT’s dangerous and thus should be guarded against.

The need to stay safe from both the primary and secondary ransomware virus being distributed by STOP/DJVU ransomware is why you’re advised to get rid of them from your computer whenever they are detected. Although, there are a couple of methods you can use to get rid of them, we will only recommend the most effective method, which is the use of Safe Mode with Networking Option.

The most effective way to remove HHEO virus is to set up the compromised computer system in Safe Mode with Networking (It is one of the booting options you will be asked to select from whenever you login to your computer) before activating and scanning your antivirus. Please note that not all antivirus are genuine or even effective. Therefore you should be careful about the brand you chose.

You should consider whether it is necessary to download RESTORO and use it to repair some of the Windows OS files that became damaged during the cyber-attack.

Ransomware Summary

Name	HHEO Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	STOP/DJVU
Encryption type	RSA 2048 + Salsa20
Previous versions	JJYY, JJWW, HHEW, HHWQ, HHEO (find full list here)
Version	521ST
Extension	.hheo
Cybercriminal emails	support@bestyourmail.ch and supportsys@airmail.cc
Additional malware dropped	Azorult or Vidar Trojan
Damage	The ransomware uses encryption to maliciously modify all files on the PC and marks their original names with .hheo extension. Ransom notes called as _readme.txt will be dropped in every computer folder. This piece of malware usually drags VIDAR Stealer alongside it and also eliminates VSS from the system. On top of that, it tends to modify Windows HOSTS file to restrict computer user’s access to cybersecurity-related websites online.
Ransom note	_readme.txt
Ransom demand	$490-$980 in Bitcoin
Distribution	Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.
Known software cracks to contain this malware	Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends.
Detection names	Ransom:Win32/StopCrypt.PAL!MTB (Microsoft), Trojan.Crypt (A) (Emsisoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.47850419 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using trustworthy software. To repair virus damage on Windows OS files, consider scanning with RESTORO (secure download link).

REPAIR VIRUS DAMAGE

DOWNLOAD AND SCAN WITH RESTORO

See Full Review

Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.

Files encrypted by this ransomware will have new extensions appended to them and the victim may also notice a ransom note file saved in the containing folder as shown in the screenshot below.

How Computer Users Can Effectively Prevent STOP/DJVU Ransomware Virus

In order to keep your computer safe at all times, you must avoid certain risk factors such as the use of peer-to-peer software sharing, going to online torrent platforms, or indiscriminate opening of emails, especially when you did not recognize its source. Also, be on the lookout for emails with spoofed originating addresses or emails/attachments with a title that doesn’t seem to make sense to you.

Since we began to monitor the activities of cybercriminals, we realized that more often than not, they prefer cloning software copies that are in high demand and would use diverse illegal platforms like online torrents to catch unsuspecting computer users. Shown in the list below are some of the popular software content usually pirated and embedded with malware.

Adobe Premiere Pro;
Fifa 20;
Adobe Illustrator;
Adobe Photoshop;
Corel Draw;
VMware Workstation;
Cubase;
AutoCad;
Tenorshare 4ukey;
League of Legends;
Internet Download Manager.

When you attempt to download some of these software contents, using the appropriate channels, you will realize that they’re mostly affordable to those that need it. Therefore, there is absolutely no need to go to dubious platforms because you want to obtain them at little or no cost. Also, remember that using the appropriate media endorsed by the original content producer helps the IT industry to grow. Likewise, your computer won’t be at risk of virus infection. Whatever amount requested by the producers, rest assured that it can never be comparable to the outrageous ransom fees usually demanded by cybercriminals.

Cybercriminals also use files like PDF, XLS and DOCX, among others, because of their macro function abilities that allow secondary attachments, including malware, to be embedded in them. Cybercriminals use the functionality of these files and their capability to store scripts to make them malicious.

Victims of STOP/DJVU ransomware virus should also be wary of certain websites that often claim to have decryption tools. Most of them are fraudulent and their mission is to further scam you. However, only DiskTuna and Emsisoft have proven effective as decryption tools that can be trusted.

How to Get Rid Of HHEO Ransomware Virus & Restore Files

Before we conclude this article, there is need to reemphasize that Safe Mode with Networking is the option you need to select when login in to the infected computer. It is also vital to only use antivirus software with a proven track record of excellence. Ensure you remove HHEO ransomware virus using the full system scan option.

After completing the HHEO ransomware removal procedure, the following actions should be taken as well:

Let the local police know about the incident.
Restore lost files using any available backup.
Research on possible ways to restore files damaged by STOP/DJVU ransomware.
Passwords used in the infected computer need to be changed.
Consider downloading RESTORO for a free system scan to see if some virus-affected files could be repaired. This functionality is available in full version of the software.

OUR GEEKS RECOMMEND

Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:

REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

HHEO Ransomware Virus Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove HHEO Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10/11 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove HHEO Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.

Special Offer

DOWNLOAD AND SCAN

Compatibility: Microsoft Windows
See Full Review

RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10/11 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt HHEO files

Fix and open large HHEO files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

Create a copy of encrypted file to a separate folder using Copy > Paste commands.
Now, right-click the created copy and choose Rename. Select the HHEO extension and delete it. Press Enter to save changes.
In the prompt asking whether you want to make the changes as file might become unusable, click OK.
Try opening the file.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. HHEO Ransomware Virus is considered the new STOP/DJVU variant, just like JJYY, JJWW, HHEW, HHWQ, HHEO (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.

Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.

In order to test the tool and see if it can decrypt HHEO files, follow the given tutorial.

Download the decryption tool from Emsisoft.
Click the little arrow next to your download and choose Show in Folder.
Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
In UAC window, click Yes.
Click Yes to agree to software terms in both windows.
The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
Click Decrypt to start restoring HHEO files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.

Meanings of decryptor's messages

The HHEO decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:

Error: Unable to decrypt file with ID: [example ID]

This message typically means that there is no corresponding decryption key in the decryptor's database.

No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible

This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.

Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.

If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your HHEO extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Report Internet crime to legal departments

Victims of HHEO Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.
In Australia, go to the SCAMwatch website.
In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
In Ireland, go to the An Garda Síochána website.
In New Zealand, go to the Consumer Affairs Scams website.
In the United Kingdom, go to the Action Fraud website.
In Canada, go to the Canadian Anti-Fraud Centre.
In India, go to Indian National Cybercrime Reporting Portal.
In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.

Another recommendation is to contact your country's or region’s federal police or communications authority.

Frequently Asked Questions

✓ How can I open .HHEO files?

You can only open HHEO files if you have the decryption key, or if you were affected by offline encryption type.

✓ How do I know if my files were encrypted with offline or online encryption?

To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.

✓ My files contain very important information (family memories). Every tool I used says it is impossible to decrypt. What should I do?

Please follow the guidances provided by the official HHEO decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).

✓ I am afraid virus is still in my computer system. What should I do?

We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.

✓ I saw several Youtube videos suggesting secret decryption tools. Can I trust them?

Beware of fake HHEO decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.