The group of cybercriminals behind the STOP/DJVU ransomware has remained a threat to all computer users globally over the years, and they keep improving on their tactics. Some computer users have become victims already, and more are still targeted. In this article, we will discuss how to remove this computer threat, and what are the chances of decrypting or repairing your files.

The cybercriminals demand money

Meanwhile, as the cyber-attack is still ongoing, those behind it would equally send across to the victim notifications known as _readme.txt. These are more or less ransom notes informing the victim about the development and why it has become necessary for them to pay a particular amount of money as ransom fees so they can receive decryption tools from them. To pressurize the victim, they would claim that a complex algorithm was used in encrypting their files and thus can’t be retrieved except by using their own tools.  Most victims of a ransomware attack would feel distraught and confused about how to tackle the problem after realizing that their computer has been infected with a virus and files contained in it made unusable. The cybercriminals would be anticipating such a state of mind and would want to take advantage of their desperation. Thus, they would forward two email addresses (support@bestyourmail.ch and supportsys@airmail.cc) while suggesting that the victim should reach out to them for possible solutions. If the victim decides to write them using any of the emails provided, they would respond by quoting ransom fees for certain conditions that have to be fulfilled by the victim. They would state that although the ransom fee was fixed at $980 but they are willing to accept half of the amount i.e., $490 on the condition that the victim must pay it within 72 hours of being notified to do so. However, failure to meet up with the deadline means the price slash becomes nullified, and only the maximum ransom fee would be acceptable.  To worsen the predicament of the victim, the cybercriminals would also warn that the only medium of payment acceptable to them is through cryptocurrency transfer. Direct bank payment, money transfer or any other conventional method of payment is prohibited by them. Such a stance is to be expected since they know that what they’re doing is unlawful and could lead to their arrest and prosecution. That is why they insist on an anonymous payment medium such as crypto. At this point, in order to encourage the victim to believe they truly have what it takes to restore the encrypted files, they would suggest that parts of it should be forwarded to them for test decryption. However, they would quickly add that returning the restored excerpts would only be possible if they believe it wouldn’t be of importance to the victim. It should be noted that they’re just playing mind games just to pull the victim along. No matter what happens, victims of cyber-attacks are advised not to pay ransom to cybercriminals. In fact, it is in your best interest not to communicate with them in any form. This recommendation was made by the FBI and was equally endorsed by other top cybersecurity organizations globally. Some of the reasons were given by them are written below for your consideration: 

There is no guarantee that encrypted files will be restored by them even after parting with your money. By law, it is considered illegal to pay ransom to cybercriminals.When you make such huge sums of money available to cybercriminals, you would be unwittingly encouraging criminality because you’ve made it profitable for those involved in it. More funds at their disposal would make it possible for them to engage more hands and expand their network, thereby putting many others at risk. Victims that pay the ransom are often targeted again in the future by cybercriminals.

Additional details about this computer threat

From studies conducted so far, it was discovered that the cybercriminals distributing the ransomware virus already exempted a group of countries from attack. The countries are located in Eastern Europe and the Middle East and include the following: Russia, Ukraine, Syria, Kyrgyzstan, Belarus, Armenia, Tajikistan, Kazachstan, and Uzbekistan. Once the HHWQ ransomware virus infects a computer through any of the risk factors (we will discuss more on that later in this article), the first thing it does is to detect its geo-location. To unravel that, it will connect to https[:]//api.2ip.ua/geo.json. Afterward, it would save the result to the the geo.json file while recording important details such as its IP address, town/region, country, latitude, and longitude. They would then process the information to determine if the computer is in any countries with immunity cover or otherwise. If it shows positive, the mission may be terminated at that point but if not, they would move to the next stage in the encryption process.  Although the ills associated with this ransomware virus among other variants of STOP/DJVU malware are being made known, as well as steps computer users can take to avoid them, yet other risk factors hasn’t been given adequate attention. This ransomware variant usually carries along other Trojans as secondary attachment. They are known as RATs i.e. Remote Access Trojans, and can also be dangerous. The main reason why cybercriminals also make use of them is because they serve a different purpose. While the primary HHWQ ransomware virus is attacking files and encrypting all data, the RATs would be covertly released on the computer to steal the victim’s private information such as banking details, passwords, cryptocurrency wallets, software login credentials, browsing history etc. Once the cybercriminals steal these important details, they could be used to pilfer money from the victim, as a blackmail tool, or to gain access to classified information.  In order to prevent some of these from occurring, victims of this STOP/DJVU malware variant are advised to remove HHWQ virus as quickly as possible once it is detected in a computer. The most effective way to remove them is to put the compromised computer system in Safe Mode with Networking Option before going ahead to activate and run your antivirus. It is very important to make use of ONLY GENUINE ANTIVIRUS SOFTWARE to ensure optimal result. If you also desire to salvage some of the damaged operating system files, then you may have to download RESTORO, a software content that is famous for such purpose.

Ransomware Summary

REPAIR VIRUS DAMAGE

How to Prevent the Spread of STOP/DJVU Ransomware Virus

The most effective way you can prevent your computer system from being infected with HHWQ ransomware virus or any of the STOP/DJVU series is simple. Abstain from visiting online torrent platforms or engaging in other illegitimate activities like peer-to-peer sharing of copyrighted software contents, using fake key generators and cloned game or utility software. It is also important to be on guard always especially when going through your inbox. Emails that appears weird, such as its originating address being spoofed or it having a title that doesn’t seem to relate with you should all be avoided.  From our records so far, we observed that high-in-demand software copies are the ones usually cloned by cybercriminals. They understand that computer users that like Freebies would be on the search for them, so they would embed malware on these cloned software contents and use them as bait to catch their victims. In the list below are some of these software contents. 

AutoCad;Adobe Illustrator;Adobe Premiere Pro;Adobe Photoshop;Fifa 20;Corel Draw;Cubase;Tenorshare 4ukey;League of Legends;VMware Workstation;Internet Download Manager.

From the narrative so far, we can all agree that trying to obtain software contents without following the right channel is dangerous and not worth the risk. Any computer user engaging in such act may think they’re saving cost, but this is not true because software content owners only charge a fraction of what cybercriminals usually demand from their victims. Also, the psychological trauma the victim would experience, as well as time and resources that would be lost far outweigh the gains, that’s if any at all. Cybercriminals also make use of files like XLS, PDF or DOCX among similar ones in embedding malware to the fake emails and attachments they forward to their target audience. These files are their favorite because they enable macro functions that make such activities possible.  It is equally important to emphasize that victims of STOP/DJVU ransomware virus should stay away from websites that claim to have solutions for it because they’re mostly scam. However, repair tools from DiskTuna and Emsisoft have proven to be effective. 

Remove HHWQ Ransomware Virus & Restore Files

In conclusion, remember that making use of Safe Mode with Networking is the login best option before running your antivirus on the compromised computer. We do not recommend manual attempts to identify and remove HHWQ ransomware components yourself – leave it to a trusted antivirus solution to ensure a secure removal procedure. Once you’ve completed HHWQ ransomware virus removal, please take the following steps:

Report to the local police.Use available backup storage to restore lost files. Check if there could be possible solutions for files locked by STOP/DJVU ransomware virus but be wary of dubious websites. All passwords used in the compromised computer should be changed immediately.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove HHWQ Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove HHWQ Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt HHWQ files

Fix and open large HHWQ files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. HHWQ Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt HHWQ files, follow the given tutorial.

Meanings of decryptor’s messages

The HHWQ decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your HHWQ extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of HHWQ Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.