According to information stated in _readme.txt ransom note, all victim’s data such as documents, audio and video files, images and other important data was encrypted with strongest encryption algorithms. The way the encryption works can be explained shortly as this: victim’s files are encrypted using Salsa20 encryption, which is then additionally secured with RSA-2048 master public key. The only way to recover files back to their original state is to use a decryption tool and private decryption key matching the encryption key, however, the private key is held by the cybercriminals. Without it, there is no way to recover data except of data backups. In some cases, certain data formats can be repaired. Data recovery may also be possible in the future in case offline encryption type was used, however, you can find more information on this in the latter section of this article. The criminals suggest that the easiest way to recover your files is to pay a ransom, which depends on how quickly you get in touch with the attackers. The ransom note (_readme.txt) provides two email addresses that belong to cybercriminals: support@sysmail.ch and helprestoremanager@airmail.cc. According to the note, the price of decryption tools would be set to $490 if the computer user writes to the provided emails within 72 hours (3 days). In case of any delay, the price would be set to $980. When the victim contacts the criminals via provided emails, further instructions will be provided. The attackers won’t accept any form of direct money transfer to avoid getting tracked down. The only payment form that they approve is via virtual currency, for example, Bitcoin. Therefore, they will suggest purchasing an equivalent amount in Bitcoin and transferring it to provided wallet address. To encourage the victim to pay the ransom, the crooks also suggest sending one small encrypted file that doesn’t contain any valuable data for test decryption. They promise to provide a decrypted version in their email reply. However, our team of experts recommend following FBI’s advisory regarding ransom payments, which simply recommends to avoid paying ransoms to cybercriminals. First of all, paying a ransom doesn’t guarantee data recovery; secondly, you will be identified as a victim who is willing to pay up, and become a target for further attacks. Next, funding cybercriminals’ operations is not a good idea as it simply keeps the ransomware cycle running. Finally, you should know that versions of STOP/DJVU ransomware are known to drop VIDAR Trojan on compromised systems, which can be used to steal sensitive data such as your passwords, cryptocurrency wallets, cookies, browsing history and other private information that can be used to blackmail you further. If you have fallen victim to a ransomware attack, we recommend you to take action to secure your computer as soon as possible. This specific malware leaves a lot of traces and Windows Registry modifications which complicates the manual removal procedure; for this reason, we recommend you to remove FHKF ransomware virus using a robust antivirus after booting your PC in Safe Mode with Networking. You can find a free tutorial on how to perform the malware removal below this article. In case you do not have an antivirus software yet, we’d like to recommend INTEGO Antivirus, which is an excellent security software that scores top ratings in independent AV Lab tests. Moreover, we suggest downloading RESTORO if you want to repair virus damage on Windows OS files.

Ransomware Summary

REPAIR VIRUS DAMAGE

Learn common ransomware attack vectors

In order to avoid getting infected with ransomware, it is important to understand how these computer viruses and malware in general, are distributed. In this section, we will explain common STOP/DJVU ransomware (including FHKF virus) attack vectors and techniques used by other ransomware strains. Almost all variants of STOP/DJVU ransomware hide in illegal software downloads. To be specific, you should avoid pirated software altogether. If you have a bad habit of searching for software cracks, full free versions available for quick download, then you risk exposing your computer to severe infections, because the majority of these downloads are filled either with Trojans, stealers or ransomware. Often times, these can be downloaded via torrent agents, although some of these programs are offered by scam websites suggesting to download the software in archived formats (such as .zip or .rar). These often require entering a provided password. However, after opening such download, most likely you won’t access your desired program. In the meantime, the malware hidden in the fake setup will connect to remote malicious domains and drop series of files on your computer, execute additional processes and prepare for complete computer infection. Victims who were affected by this ransomware explain that they were searching for software cracks online. Some of the programs they were looking to get activated for free (illegally) were:

Adobe Photoshop;DVDFab;Microsoft Office;VMware Workstation;Tenorshare 4MeKey;Cubase;Corel Draw;Fifa 20;AutoCad;Adobe Illustrator;Opera browser;League of Legends;Internet Download Manager;KMSPico (illegal Windows activation tool).

Our advice is to avoid pirated software versions at all costs. Remember that cybercriminals often do not even have the actual crack, but provide malware installers named as setups. For this reason, you should remember that the only way to get secure software versions is to visit reputable and confirmed partner websites or the official software developer’s site. Besides, the cost of the actual software license is often much lower than hefty ransom amounts demanded by cybercriminals. Moreover, legitimate software versions won’t fill your computer with information-stealing Trojans. Another ransomware distribution technique that is very common is malicious email spam. The criminals compose convincing messages, often pretending to be someone from a well-known company, and attach some files to the email. These files hide malicious scripts used to download and activate the ransomware on your computer. Therefore, we advise you to inspect the email and ensure that it comes from a trusted entity and not an imposer before clicking on attached files or links. Remember that cybercriminals often use email spoofing techniques to masquerade the original sender’s email address and make it look like it came from a reliable source. Ransomware can also hide in deceptive online ads suggesting to update well-known software such as JAVA. The scammers may also advertise updates for other well-known programs, for example, various antivirus brands. The fake installer will compromise your computer, so we suggest that you only look for software updates on official software developers’ sites or via the software installed on your computer (it typically provides options to check for available updates). Finally, STOP/DJVU ransomware victims should avoid downloading suspicious decryption tools from rogue websites. It has been noticed that ZORAB ransomware operators distribute fake STOP/DJVU decryptor which hides another ransomware strain. If you accidentally download such tool, your files will get double-encrypted.

How FHKF ransomware operates

This ransomware typically operates under its main process name that consists of 4 random characters, for example, 2B0F.exe. In addition to it, the ransomware downloads several helper processes, the main of them being called build.exe and build2.exe. In certain cases, this ransomware showcases a fake Windows update prompt (winupdate.exe) for the computer user. We believe this prompt was designed to deceive the computer user that the system is undergoing some essential updates, while at the same time the ransomware does its job and encrypts all files. The build.exe process then connects to https[:]//api.2ip.ua/geo.json domain to fetch computer’s geolocation and saves this information into geo.json file. This file contains computer’s IP, country code, country name, region, city, longitude, latitude, zip code and other details. You can see a screenshot of geo.json file below. It appears that this ransomware is set to stop its operations in case specific country codes are detected. In other words, the malware won’t encrypt data on several countries, including Russia, Tajikistan, Syria, Belarus, Ukraine, Uzbekistan, Armenia, Kazachstan, and Kyrgyzstan. Otherwise, it proceeds with the operation. The virus additionally takes a screenshot of victim’s desktop and creates information.txt file with data about the compromised computer, such as: computer name, user name, machineID, Windows version, hardware information, list of installed software and active processes. Such details along the screenshot and geo.json file will be sent to criminals’ Command&Control server. See an example of information.txt file down below. Next, the ransomware executable requests a unique online encryption key and victim’s ID from its server. The response is then saved to bowsakkdestx.txt file. The ID will also be separately saved into PersonalID.txt file. At this point, it is important to mention that if the ransomware succeeds to obtain online encryption key for the victim, this leaves almost no chances to recover your files without a data backup. In case the malware fails to establish connection with its server, it reverts to offline encryption mode, which means that the virus uses a hardcoded offline encryption key. This key will be identical to all “offline encryption” victims – therefore, in certain cases, these victims can expect to recover their files for free in the future. You can read more on this here. The easiest way to identify whether you’re affected by offline encryption is opening C:\SystemID\PersonalID.txt file and looking at the last two characters in the ID. If these are t1, it means offline encryption was used. See a screenshot of bowsakkdestx.txt and PersonalID.txt below. The ransomware then begins scanning all computer folders and encrypting files found in them. The virus uses Salsa20 matrix, which is based on a universally unique identifier (UUID) generated via UuidCreateAPI, which is later encrypted using the aforementioned online or offline encryption RSA-2048-bit key. During encryption procedure, the ransomware also marks affected files with .fhkf extension. You can see a screenshot of affected files down below. The virus also drops an instance of _readme.txt note in every folder. You can see contents of it in the image presented below. Some variants of STOP/DJVU delete Volume Shadow Copies from the system via the following Command Prompt task: vssadmin.exe Delete Shadows /All /Quiet Additionally, some variants of this ransomware are known to modify Windows HOSTS file. The virus uploads a list of websites to it, mostly those cybersecurity-related, and maps them to localhost IP. As a consequence, the victim will run into DNS_PROBE_FINISHED_NXDOMAIN error when trying to access them. It is believed that ransomware operators try to block victim’s way to access relevant attack-related information sources online.

Remove FHKF Ransomware Virus and Recover Your Files

Computer users infected with this critical malware should not hesitate and take action to remove FHKF ransomware virus along with additional threats it installed as quickly as possible. The first step is to boot the computer in Safe Mode with Networking, which starts the computer with essential features only (it helps to deactivate malware processes that might try to interfere with your security software). Then you should run a complete system scan using a trustworthy antivirus solution. If you do not have one, our team typically relies on INTEGO Antivirus. You can find its review here. As an additional measure, we recommend downloading this tool – RESTORO and running a scan with it. The full version of this software can repair virus-infected or damaged Windows OS files without the need to reinstall the operating system. Lastly, we recommend reporting this cybercrime incident to local law enforcement agencies. Speaking of data recovery, please check if you have data backups. Use them only after FHKF virus removal is complete. If you do not have a backup, then this tutorial regarding possible ways to decrypt/repair STOP/DJVU encrypted files should come in handy for you. Finally, our experts recommend changing all of your passwords associated with the infected machine (such as browser-saved passwords, login credentials for software accounts, etc.). Finally, do not forget to keep your antivirus software up-to-date by enabling automatic updates and ensure that real-time protection is always on. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove FHKF Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove FHKF Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt FHKF files

Fix and open large FHKF files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. FHKF Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt FHKF files, follow the given tutorial.

Meanings of decryptor’s messages

The FHKF decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your FHKF extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of FHKF Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.