Contents
HUDF ransomware is a malicious computer virus that is a variant from STOP/DJVU ransomware family. Upon arrival on the target system, it starts encrypting all files stored on it and appending .hudf file extensions to original file names. As an example, a file originally called 1.jpg becomes 1.jpg.hudf. At the same time, the virus drops _readme.txt note in each affected folder to inform the victim about the damage inflicted to the computer and also introduce cybercriminals’ intentions to extort the computer user. The note suggests that the only way to recover files is to pay a ransom and get HUDF file decryption tool from the attackers.
This ransomware was named HUDF virus due to the extensions it appends to encrypted files. Clearly, the malware was developed with purpose to lock all of victim’s personal files (including photos, videos, documents and other formats) with robust encryption algorithms – Salsa20 and RSA-2048. Since the computer user seeks to regain access to these files as soon as possible, the cybercriminals introduce a suggestion – paying a ransom to them. The attackers also reassure that it is the only way of decrypting files back to normal state. The sole aim of the operators of this ransomware is to extort the computer user after taking one’s files hostage.
The virus is designed to drop ransom-demanding messages in _readme.txt files throughout the computer. This note suggests that all files have been encrypted, and the victim has to contact the attackers via provided email addresses – manager@mailtemp.ch or helprestoremanager@airmail.cc for further information. The ransom note also mentions the pricing of the decryption tool, which depends on how quickly the victim writes to the attackers. If this is done within 72 hours, the criminals promise to set the price point to $490. If the victim delays any longer, the price will be $980.
To prove the computer user that attackers can indeed decrypt .hudf files, the note suggests sending one small encrypted file as an attachment to the email. The crooks would then reply with further instructions and a decrypted file version. However, they warn that test decryption service is only available on unimportant files. If the victim sends a file that contains valuable data, the attackers might refuse to decrypt it. The reason behind this is that the crooks do not want you to recover any relevant files without paying a ransom first.
As usual, the crooks will ask to purchase cryptocurrency such as Bitcoin worth the agreed sum of money and then transfer it to their virtual wallet. This kind of payment helps to keep the cybercriminals anonymous so that the FBI and other law enforcement agencies wouldn’t be able to track them down via money transactions.
According to cybersecurity experts worldwide as well as FBI, paying a ransom is not a recommended option. Not only it doesn’t guarantee data recovery, but it also makes puts you into crooks’ list of potential future targets that are willing to pay the ransom. Furthermore, paying the ransom simply fuels the ransomware business and helps to infect even more people worldwide. These kinds of attackers earn millions of US dollars annually using extortion and blackmailing. What is even worse, variants of STOP/DJVU like the one you got infected with are known to carry additional payloads such as AZORULT or VIDAR, both known for their information-stealing functionalities.
These Trojans provide the attacker to remotely connect to your computer and extract all sorts of information, for example, saved passwords, cookies, browsing history, cryptocurrency wallets, banking details, view your files or download additional malware to your system. For this reason, we recommend you to stop thinking about the ransom payment and take action to secure your computer and your privacy immediately.
The best way to remove HUDF ransomware virus is to boot your computer in Safe Mode with Networking as explained in the guide provided by our professionals. Once you start your PC in this mode, you should update your existing security software or install a trustworthy one if you do not have one yet. Our team recommends using INTEGO Antivirus which demonstrates excellent malware detection capabilities and also provides real-time protection against malware. You can read its review here. As an additional step, our experts recommend downloading and scanning the computer with RESTORO to repair virus damage inflicted on Windows OS files.
Name | HUDF Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA 2048 + Salsa20 |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 362nd |
Extension | .hudf |
Cybercriminal emails | manager@mailtemp.ch, helprestoremanager@airmail.cc |
Additional malware dropped | Azorult or Vidar Trojan |
Damage | The ransomware encrypts all files on the computer system, marks them with .hudf extensions and leaves _readme.txt ransom notes behind. Additionally, the virus may drop information-stealing Trojans on the system and delete Volume Shadow Copies to prevent access to existing System Restore Points. Some versions may also edit Windows HOSTS file to block access to a set of domains. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
Detection names | Trojan:Win32/Krypter.AA!MTB (Microsoft), Gen:Variant.Fragtor.36858 (B) (Emsisoft), UDS:Trojan.Win32.Scarsi.gen (Kaspersky), Gen:Variant.Fragtor.36858 (BitDefender), MachineLearning/Anomalous.95% (Malwarebytes), Packed.Generic.528 (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Cybercriminals behind STOP/DJVU ransomware versions like HUDF tend to hide the malicious payload in illegal torrent downloads mainly. It is a popular technique that targets computer users looking for pirated software versions online to avoid paying the license fee often required to use premium features of popular software like Adobe Photoshop, Corel Draw, Adobe Illustrator, VMWare Workstation, Tenorshare 4ukey and others. What is even worse, computer users with bad habits even go as far as ignoring their antivirus or Windows Defender’s warnings about potential malware inside their torrents.
Our team of professionals recommend you to avoid these kinds of torrents at all costs as they can carry a wide range of computer infections. Some of the potential threats might not be not as noticeable as ransomware, but no less dangerous – for example, Trojans, backdoors, cryptocurrency miners, keyloggers and similar. Remember that the cost of a legitimate software license never exceeds hefty ransoms demanded by criminals. Besides, by trying to access pirated software versions can get you in trouble for infringing copyrights of legitimate software developers. Our suggestion is to look for legitimate copies either in official websites or shops confirmed to be partners of the specific software brand.
If you want to avoid ransomware infections, you should also be aware of another technique used by Internet criminals. They tend to send malicious email attachments to thousands of people at once. These emails are often designed to look like they were sent by a trustworthy entity, for example, online shop, reputable company or even your boss, manager or colleague. The malware itself hides in the attachment which most frequently comes in DOC, PDF or XLS formats. It may be named as invoice, order summary or similar – but do not let the attackers trick you into opening it. Think for a minute whether you were awaiting for such email, and look out for red flags such as unfamiliar greeting line, urgent suggestions to open and view attached documents or unprofessional message tone. Do not trust the email even if the sender’s email appears legitimate – we suggest that you read this article about email spoofing and how cyber attackers leverage it to deceive their targets.
It is also important to keep your Windows operating system and all software installed on it up-to-date. Cybercriminals often use exploits to target existing security vulnerabilities in target computers. The attack often starts when the victim visits a compromised web site that serves as attack vector. This can be done accidentally or after opening a phishing email sent by the criminals. Therefore, to avoid becoming a victim of such attacks, we recommend you to enable auto-updates for your software so that you would always use programs with the latest feature updates and security patches installed.
Finally, victims of STOP/DJVU ransomware, as well as any ransomware in general, should avoid suspicious websites offering miracle decryption tools. Always search for the latest information about available decryption tools in well-known and reputable resources online, such as cybersecurity blogs, antivirus’ vendors’ news and similar. Do not trust suspicious domains or torrent libraries that promise you data recovery solutions – these can be infected with additional malware and you may end up with another ransomware on your computer. One of examples is ZORAB ransomware that used to be distributed via fake STOP/DJVU decryption tool in the past.
This section summarises the activity of HUDF ransomware on your computer. So if you’re interested to learn the basic principles about the functionality of this ransomware, proceed reading further.
The ransomware typically arrives and runs as a set of executables, typically named as build.exe, build2.exe and the main one that can be named with random 4 characters, for example, 4JK8.exe. Some versions of STOP/DJVU have a tendency to run a fake Windows update prompt (winupdate.exe). The ransomware then prepares for the attack and performs several checks. One of the first tasks on its list is collecting information about the target computer’s hardware, software installed and active processes as well as computer’s name, user name, infection timestamp and more. Such information will be arranged in a text file called information.txt and sent to the Command&Control server. A screenshot of such file is shown below.
Next, the ransomware connects to https[:]//api.2ip.ua/geo.json and fetches information about the compromised computer’s location. A response is then saved to geo.json file. You can see examples of such file in the image below.
The reason why this ransomware needs to know computer’s geolocation is to check whether the computer’s data can be encrypted (according to the criminals’ rules). It appears that they have an exception country list and avoid encrypting data on computers located in the following countries: Kyrgyzstan, Tajikistan, Ukraine, Russia, Syria, Kazachstan, Armenia, Belarus or Uzbekistan. In case the computer user is based in one of these countries, the virus will stop its processes and won’t encrypt the files. Otherwise, it proceeds with the preparations for the attack.
The ransomware then proceeds and connects to its C&C server to obtain a unique encryption key as well as victim’s ID. Otherwise, it uses an offline encryption key. In both cases, these details will be written to bowsakkdestx.txt file and PersonalID.txt file. You can identify which encryption type is used by checking the last two digits in the PersonalID.txt file (located in C:/SystemID). If these are t1, it indicates offline key encryption and gives a chance to recover files in the future as explained here. For online key victims, there is no way to decrypt files or recover them if no data backup is available. See example of the discussed files in the image provided below.
The ransomware then begins encrypting all data on the computer, adding new extensions, and dropping ransom notes. Each affected folder will contain the _readme.txt note.
You can see a screenshot of the _readme.txt note below.
Final modifications include deletion of Volume Shadow Copies and alteration of Windows HOSTS file. The virus may attempt to block a set of domains on the compromised host – only to prevent the victim from finding relevant ransomware attack-related information online. As a consequence, the victim may notice DNS_PROBE_FINISHED_NXDOMAIN error when trying to access websites like microsoft.com and various cybersecurity news websites.
It is important that you remove HUDF ransomware virus and related malware properly – therefore, we have prepared a detailed guide on how to start your computer in Safe Mode with Networking. After that, you should make use of the existing antivirus software (make sure you update it first!) or, in case you do not have one yet, download a reputable one. Our team’s choice is INTEGO Antivirus, a well-reviewed security software that provides robust protection against malware in real-time. Additionally, you may want to download RESTORO, an excellent tool for repairing virus damage caused for Windows operating system files.
You can find a detailed HUDF virus removal guide below. Do not forget to inform your local law enforcement agency about the attack and change all of your passwords immediately (in case they were stolen by additional Trojans dropped by this malware). Make sure you have completely eliminated all threats from the computer before using your data backups. In case you didn’t have them, try officially confirmed decryption/file repair tools.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
HUDF Ransomware Virus Removal Guidelines
Before you try to remove HUDF Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove HUDF Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. HUDF Ransomware Virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt HUDF files, follow the given tutorial.
The HUDF decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your HUDF extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of HUDF Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open HUDF files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official HUDF decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake HUDF decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.