What kind of malware is Hhuy?
After a review, it has been established that Hhuy is ransomware belonging to the Djvu family. The purpose of Hhuy is to encrypt files. Also, Hhuy renames files by appending the ".hhuy" extension and creates a ransom note ("_readme.txt"). Since Hhuy is part of the Djvu family, it may be distributed with RedLine, Vidar, or other information stealer.
An example of how Hhuy renames files: it changes "1.jpg" to "1.jpg.hhuy", "2.png" to "2.png.hhuy", and so forth. This ransomware has been discovered during examination of malware samples submitted to VirusTotal website.
Hhuy ransom note overview
The ransom notification communicates to the victim that their files, encompassing images and documents, have been encrypted. The attackers propose purchasing a decryption tool and a key to recover the files. They extend an offer to decrypt one file at no cost as long as it does not contain important data.
The ransom amount is $980, but contacting the cybercriminals within 72 hours entitles the victim to a 50% discount, bringing the total to $490. The message emphasizes that data recovery is unattainable without payment and supplies the email addresses support@freshmail.top and datarestorehelpyou@airmail.cc for communication.
More about ransomware
Typically, those affected by ransomware attacks are compelled to pay cybercriminals for data decryption unless they have a backup or can find a third-party decryption tool. Paying a ransom is discouraged as cybercriminals do not always provide decryption tools.
Moreover, it is essential to remove ransomware from infected computers to prevent further damage. While active, ransomware has the potential to encrypt additional files and spread throughout a local network, impacting other computers.
Ransomware in general
Ransomware is harmful software designed to block access to files by encrypting them. The goal is to force individuals or organizations to pay a ransom to get their data back. In order to protect against this, it is recommended to regularly back up data on remote servers or offline devices. This helps reduce the impact and avoids the need to give in to ransom demands if an attack occurs.
Examples of different ransomware variants are DoctorHelp, Elpy, and Intel.
How did ransomware infect my computer?
Typically, Djvu ransomware is distributed using pages hosting pirated software, cracking tools, key generators, emails containing malicious attachments or links, and deceptive websites offering to download videos from YouTube. Cybercriminals succeed when users download and execute ransomware on their computers.
Also, threat actors distribute ransomware via Trojans, software vulnerabilities, P2P networks, drive-by downloads, malicious advertisements, and similar channels. Cybercriminals use various files, including executables (.exe), JavaScript files (.js), document files (.doc, .docx, .pdf), archive files (.zip, .rar), and executable files (.exe), to distribute malware.
How to protect yourself from ransomware infections?
Keep antivirus and anti-malware software and other programs and the operating system up to date, conduct regular system scans and exercise caution when opening attachments or clicking links, especially in unsolicited emails. Download files only from trusted sources, use official websites or app stores for software downloads and be wary of unexpected pop-ups or ads.
Do not download pirated software or agree to receive notifications from dubious websites. If your computer is already infected with Hhuy, we recommend running a scan with a powerful Anti-Malware tool to automatically remove .Hhuy Ransomware.
Hhuy's text file ("_readme.txt"):
There are currently two versions of Djvu ransomware infections: old and new. The old versions were designed to encrypt data by using a hard-coded "offline key" whenever the infected machine had no internet connection or the server was timing out/not responding.
Therefore, some victims were able to decrypt data using a tool developed by cyber security researcher, Michael Gillespie, however, since the encryption mechanism has been slightly changed (hence the new version, released in August, 2019), the decrypter no longer works and it is not supported anymore.
If your data has been encrypted by an older version, you might be able to restore it with the another tool developed by Emsisoft and Michael Gillespie. It supports a total of 148 Djvu's variants and you can find more information, as well as download link and decryption instructions in Emsisoft's official page.
Additionally, Emsisoft is now providing a service that allows to decrypt data (again, only if it was encrypted by Djvu variants released before August, 2019) for those victims who have a pair of the same file before and after the encryption. All victims have to do is upload a pair of original and encrypted file to Emsisoft's Djvu decryption page and download the aforementioned decryption tool (the download link will be provided after uploading files).
Note that the file processing may take some time so be patient. It is also worth mentioning that the system must have an Internet connection during the entire decryption process, otherwise it will fail.
