This malware is believed to have been embedded in diverse cloned software contents and a significant number is already in circulation, especially in online torrent platforms and other distribution channels.
The aim of this computer threat is to demand ransoms
Nevertheless, while the malware attack is still going on, the cybercriminals behind it would also forward ransom messages known as _readme.txt. These messages would inform the victim about what has occurred and what they’re expected to do in compliance with them. They will claim that a very strong algorithm was used in the process, making it impossible for the victim to restore the encrypted file without their permission. However, they must pay a ransom fee before they forward the decryption tools. At this point, the victim would have come to terms with the loss of vital documents and may be desperately seeking for how to recover them. Based on experience, the cybercriminals already know the victim would be anxiously seeking for a way out. So, they would send across two email addresses: support@bestyourmail.ch and supportsys@airmail.cc and would it appear like help could come by merely writing to them. However, if the victim takes the bait and sends them an email using either of the two email addresses, they would respond by stating that ransom fee must be paid before they could send across a decryption tool. Initially, they would put the ransom fee at $980 and add that only half of it would be accepted provided the victim can pay ASAP and not exceed 72 hours after being informed to do so. They would also warn that once it exceeds 3 days without receiving the payment, they would nullify the price slash and insist on the full ransom fee. As if all that isn’t enough challenge already, they would also insist that ransom payment can only be made via cryptocurrency transfer. For obvious reasons, they prohibit the use of money transfer, direct bank payment, or various other conventional methods of payment. They consider the use of crypto as a safe haven since their physical address or personal identities remain hidden. To assure the victim that they possess the skill to retrieve the encrypted files, they may suggest that victim should forward excerpts of it to them for test decryption. However, they would also add a caveat that returning the decrypted copy would be at their discretion, depending on whether they consider the content as useful to the victim or not. What they’re trying to do here is just to give themselves room for maneuver since they have no intention of returning the excerpts. However, there is a general consensus that victims shouldn’t pay ransom to cybercriminals no matter the pressure they put on their victims. In actual sense, victims are advised not to communicate with them in the first place. This recommendation is supported by the FBI and other reputable cyber security organizations. Stated below are some of the points they considered before arriving at their conclusion:
It doesn’t make sense to pay huge sums of money to cybercriminals since there is no guarantee they will restore your encrypted files.Based on existing laws, it is an offense to pay ransom to cybercriminals.You will be making yourself vulnerable to future attacks by cybercriminals because they often seek for ways to extort more money from paying victims.When you pay ransom to cybercriminals, your funds will help them to expand and cause more problems to computer users.
More about this specific computer virus
Although the group of cybercriminals behind STOP/DJVU ransomware virus operates globally, there are selected countries they designated as “protected from cyber-attack”. They are listed as follows: Russia, Belarus, Uzbekistan, Kazachstan, Ukraine, Syria, Tajikistan, Armenia and Kyrgyzstan. It is not clearly understood why they decided to exempt these countries. However, if HHEO ransomware virus infects a computer system, the initial action it will take is to unravel its geo-location. This will be done by connecting to https[:]//api.2ip.ua/geo.json. The next action would be to forward the result to geo.json file. This is where vital pieces of information such as country, city, IP address, and zip code, as well as longitude and latitude. These steps would help it conclude whether the computer’s data should be encrypted or not, depending on its geo-location. Granted that more emphasis is being directed at the problems that could emanate from HHEO ransomware, yet it is by no means the only risk factor. Cybercriminals behind the STOP/DJVU ransomware virus often embed other Trojans alongside the primary malware. Generally known as Remote Access Trojans or RAT’s, they can covertly infiltrate a computer and be used in extracting other important pieces of information like passwords, banking details, cryptocurrency wallets, software login credentials, and browsing history among others. Such covert operations and extraction of sensitive are what makes the RAT’s dangerous and thus should be guarded against. The need to stay safe from both the primary and secondary ransomware virus being distributed by STOP/DJVU ransomware is why you’re advised to get rid of them from your computer whenever they are detected. Although, there are a couple of methods you can use to get rid of them, we will only recommend the most effective method, which is the use of Safe Mode with Networking Option. The most effective way to remove HHEO virus is to set up the compromised computer system in Safe Mode with Networking (It is one of the booting options you will be asked to select from whenever you login to your computer) before activating and scanning your antivirus. Please note that not all antivirus are genuine or even effective. Therefore you should be careful about the brand you chose. You should consider whether it is necessary to download RESTORO and use it to repair some of the Windows OS files that became damaged during the cyber-attack.
Ransomware Summary
REPAIR VIRUS DAMAGE Files encrypted by this ransomware will have new extensions appended to them and the victim may also notice a ransom note file saved in the containing folder as shown in the screenshot below.
How Computer Users Can Effectively Prevent STOP/DJVU Ransomware Virus
In order to keep your computer safe at all times, you must avoid certain risk factors such as the use of peer-to-peer software sharing, going to online torrent platforms, or indiscriminate opening of emails, especially when you did not recognize its source. Also, be on the lookout for emails with spoofed originating addresses or emails/attachments with a title that doesn’t seem to make sense to you. Since we began to monitor the activities of cybercriminals, we realized that more often than not, they prefer cloning software copies that are in high demand and would use diverse illegal platforms like online torrents to catch unsuspecting computer users. Shown in the list below are some of the popular software content usually pirated and embedded with malware.
Adobe Premiere Pro;Fifa 20;Adobe Illustrator;Adobe Photoshop;Corel Draw;VMware Workstation;Cubase;AutoCad;Tenorshare 4ukey;League of Legends;Internet Download Manager.
When you attempt to download some of these software contents, using the appropriate channels, you will realize that they’re mostly affordable to those that need it. Therefore, there is absolutely no need to go to dubious platforms because you want to obtain them at little or no cost. Also, remember that using the appropriate media endorsed by the original content producer helps the IT industry to grow. Likewise, your computer won’t be at risk of virus infection. Whatever amount requested by the producers, rest assured that it can never be comparable to the outrageous ransom fees usually demanded by cybercriminals. Cybercriminals also use files like PDF, XLS and DOCX, among others, because of their macro function abilities that allow secondary attachments, including malware, to be embedded in them. Cybercriminals use the functionality of these files and their capability to store scripts to make them malicious. Victims of STOP/DJVU ransomware virus should also be wary of certain websites that often claim to have decryption tools. Most of them are fraudulent and their mission is to further scam you. However, only DiskTuna and Emsisoft have proven effective as decryption tools that can be trusted.
How to Get Rid Of HHEO Ransomware Virus & Restore Files
Before we conclude this article, there is need to reemphasize that Safe Mode with Networking is the option you need to select when login in to the infected computer. It is also vital to only use antivirus software with a proven track record of excellence. Ensure you remove HHEO ransomware virus using the full system scan option. After completing the HHEO ransomware removal procedure, the following actions should be taken as well:
Let the local police know about the incident.Restore lost files using any available backup.Research on possible ways to restore files damaged by STOP/DJVU ransomware.Passwords used in the infected computer need to be changed.Consider downloading RESTORO for a free system scan to see if some virus-affected files could be repaired. This functionality is available in full version of the software.
OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove HHEO Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove HHEO Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt HHEO files
Fix and open large HHEO files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. HHEO Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt HHEO files, follow the given tutorial.
Meanings of decryptor’s messages
The HHEO decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your HHEO extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of HHEO Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.