This ransomware was named HUDF virus due to the extensions it appends to encrypted files. Clearly, the malware was developed with purpose to lock all of victim’s personal files (including photos, videos, documents and other formats) with robust encryption algorithms – Salsa20 and RSA-2048. Since the computer user seeks to regain access to these files as soon as possible, the cybercriminals introduce a suggestion – paying a ransom to them. The attackers also reassure that it is the only way of decrypting files back to normal state. The sole aim of the operators of this ransomware is to extort the computer user after taking one’s files hostage. The virus is designed to drop ransom-demanding messages in _readme.txt files throughout the computer. This note suggests that all files have been encrypted, and the victim has to contact the attackers via provided email addresses – manager@mailtemp.ch or helprestoremanager@airmail.cc for further information. The ransom note also mentions the pricing of the decryption tool, which depends on how quickly the victim writes to the attackers. If this is done within 72 hours, the criminals promise to set the price point to $490. If the victim delays any longer, the price will be $980. To prove the computer user that attackers can indeed decrypt .hudf files, the note suggests sending one small encrypted file as an attachment to the email. The crooks would then reply with further instructions and a decrypted file version. However, they warn that test decryption service is only available on unimportant files. If the victim sends a file that contains valuable data, the attackers might refuse to decrypt it. The reason behind this is that the crooks do not want you to recover any relevant files without paying a ransom first. As usual, the crooks will ask to purchase cryptocurrency such as Bitcoin worth the agreed sum of money and then transfer it to their virtual wallet. This kind of payment helps to keep the cybercriminals anonymous so that the FBI and other law enforcement agencies wouldn’t be able to track them down via money transactions. According to cybersecurity experts worldwide as well as FBI, paying a ransom is not a recommended option. Not only it doesn’t guarantee data recovery, but it also makes puts you into crooks’ list of potential future targets that are willing to pay the ransom. Furthermore, paying the ransom simply fuels the ransomware business and helps to infect even more people worldwide. These kinds of attackers earn millions of US dollars annually using extortion and blackmailing. What is even worse, variants of STOP/DJVU like the one you got infected with are known to carry additional payloads such as AZORULT or VIDAR, both known for their information-stealing functionalities. These Trojans provide the attacker to remotely connect to your computer and extract all sorts of information, for example, saved passwords, cookies, browsing history, cryptocurrency wallets, banking details, view your files or download additional malware to your system. For this reason, we recommend you to stop thinking about the ransom payment and take action to secure your computer and your privacy immediately. The best way to remove HUDF ransomware virus is to boot your computer in Safe Mode with Networking as explained in the guide provided by our professionals. Once you start your PC in this mode, you should update your existing security software or install a trustworthy one if you do not have one yet. Our team recommends using INTEGO Antivirus which demonstrates excellent malware detection capabilities and also provides real-time protection against malware. You can read its review here. As an additional step, our experts recommend downloading and scanning the computer with RESTORO to repair virus damage inflicted on Windows OS files.
Ransomware Summary
REPAIR VIRUS DAMAGE
Ransomware distribution specifics explained
Cybercriminals behind STOP/DJVU ransomware versions like HUDF tend to hide the malicious payload in illegal torrent downloads mainly. It is a popular technique that targets computer users looking for pirated software versions online to avoid paying the license fee often required to use premium features of popular software like Adobe Photoshop, Corel Draw, Adobe Illustrator, VMWare Workstation, Tenorshare 4ukey and others. What is even worse, computer users with bad habits even go as far as ignoring their antivirus or Windows Defender’s warnings about potential malware inside their torrents. Our team of professionals recommend you to avoid these kinds of torrents at all costs as they can carry a wide range of computer infections. Some of the potential threats might not be not as noticeable as ransomware, but no less dangerous – for example, Trojans, backdoors, cryptocurrency miners, keyloggers and similar. Remember that the cost of a legitimate software license never exceeds hefty ransoms demanded by criminals. Besides, by trying to access pirated software versions can get you in trouble for infringing copyrights of legitimate software developers. Our suggestion is to look for legitimate copies either in official websites or shops confirmed to be partners of the specific software brand. If you want to avoid ransomware infections, you should also be aware of another technique used by Internet criminals. They tend to send malicious email attachments to thousands of people at once. These emails are often designed to look like they were sent by a trustworthy entity, for example, online shop, reputable company or even your boss, manager or colleague. The malware itself hides in the attachment which most frequently comes in DOC, PDF or XLS formats. It may be named as invoice, order summary or similar – but do not let the attackers trick you into opening it. Think for a minute whether you were awaiting for such email, and look out for red flags such as unfamiliar greeting line, urgent suggestions to open and view attached documents or unprofessional message tone. Do not trust the email even if the sender’s email appears legitimate – we suggest that you read this article about email spoofing and how cyber attackers leverage it to deceive their targets. It is also important to keep your Windows operating system and all software installed on it up-to-date. Cybercriminals often use exploits to target existing security vulnerabilities in target computers. The attack often starts when the victim visits a compromised web site that serves as attack vector. This can be done accidentally or after opening a phishing email sent by the criminals. Therefore, to avoid becoming a victim of such attacks, we recommend you to enable auto-updates for your software so that you would always use programs with the latest feature updates and security patches installed. Finally, victims of STOP/DJVU ransomware, as well as any ransomware in general, should avoid suspicious websites offering miracle decryption tools. Always search for the latest information about available decryption tools in well-known and reputable resources online, such as cybersecurity blogs, antivirus’ vendors’ news and similar. Do not trust suspicious domains or torrent libraries that promise you data recovery solutions – these can be infected with additional malware and you may end up with another ransomware on your computer. One of examples is ZORAB ransomware that used to be distributed via fake STOP/DJVU decryption tool in the past.
How this ransomware affects your computer: modus operandi overview
This section summarises the activity of HUDF ransomware on your computer. So if you’re interested to learn the basic principles about the functionality of this ransomware, proceed reading further. The ransomware typically arrives and runs as a set of executables, typically named as build.exe, build2.exe and the main one that can be named with random 4 characters, for example, 4JK8.exe. Some versions of STOP/DJVU have a tendency to run a fake Windows update prompt (winupdate.exe). The ransomware then prepares for the attack and performs several checks. One of the first tasks on its list is collecting information about the target computer’s hardware, software installed and active processes as well as computer’s name, user name, infection timestamp and more. Such information will be arranged in a text file called information.txt and sent to the Command&Control server. A screenshot of such file is shown below. Next, the ransomware connects to https[:]//api.2ip.ua/geo.json and fetches information about the compromised computer’s location. A response is then saved to geo.json file. You can see examples of such file in the image below. The reason why this ransomware needs to know computer’s geolocation is to check whether the computer’s data can be encrypted (according to the criminals’ rules). It appears that they have an exception country list and avoid encrypting data on computers located in the following countries: Kyrgyzstan, Tajikistan, Ukraine, Russia, Syria, Kazachstan, Armenia, Belarus or Uzbekistan. In case the computer user is based in one of these countries, the virus will stop its processes and won’t encrypt the files. Otherwise, it proceeds with the preparations for the attack. The ransomware then proceeds and connects to its C&C server to obtain a unique encryption key as well as victim’s ID. Otherwise, it uses an offline encryption key. In both cases, these details will be written to bowsakkdestx.txt file and PersonalID.txt file. You can identify which encryption type is used by checking the last two digits in the PersonalID.txt file (located in C:/SystemID). If these are t1, it indicates offline key encryption and gives a chance to recover files in the future as explained here. For online key victims, there is no way to decrypt files or recover them if no data backup is available. See example of the discussed files in the image provided below. The ransomware then begins encrypting all data on the computer, adding new extensions, and dropping ransom notes. Each affected folder will contain the _readme.txt note. You can see a screenshot of the _readme.txt note below. Final modifications include deletion of Volume Shadow Copies and alteration of Windows HOSTS file. The virus may attempt to block a set of domains on the compromised host – only to prevent the victim from finding relevant ransomware attack-related information online. As a consequence, the victim may notice DNS_PROBE_FINISHED_NXDOMAIN error when trying to access websites like microsoft.com and various cybersecurity news websites.
Remove HUDF Ransomware Virus and Decrypt or Repair Your Files
It is important that you remove HUDF ransomware virus and related malware properly – therefore, we have prepared a detailed guide on how to start your computer in Safe Mode with Networking. After that, you should make use of the existing antivirus software (make sure you update it first!) or, in case you do not have one yet, download a reputable one. Our team’s choice is INTEGO Antivirus, a well-reviewed security software that provides robust protection against malware in real-time. Additionally, you may want to download RESTORO, an excellent tool for repairing virus damage caused for Windows operating system files. You can find a detailed HUDF virus removal guide below. Do not forget to inform your local law enforcement agency about the attack and change all of your passwords immediately (in case they were stolen by additional Trojans dropped by this malware). Make sure you have completely eliminated all threats from the computer before using your data backups. In case you didn’t have them, try officially confirmed decryption/file repair tools. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove HUDF Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove HUDF Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt HUDF files
Fix and open large HUDF files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. HUDF Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt HUDF files, follow the given tutorial.
Meanings of decryptor’s messages
The HUDF decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your HUDF extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of HUDF Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.