What Does HugeMe Ransomware Do
The HugeMe ransomware is a new strain of the EDA2 open-source family of malware. The virus follows the typical behaviour patterns associated with similar threats.
The goal of this ransomware is to encrypt target user data and then extort the computer user to pay a ransomware fee to restore their data. In many cases after payment the virus is not removed entirely and the danger continues to persist. This is why users should be extremely cautious and use a quality anti-spyware solution to remove existing threats.
Manual removal is also an option with some of the simpler threats which do not posses any advanced features. The virus assigns the .encrypted extension to every affected file.
After the encryption process is complete several ransomware notes are created on the victim system – DECRYPT.TXT, DECRYPT_ReadMe.TXT.ReadMe and DECRYPT_ReadMe1.TXT.ReadMe. They contain the ransomware message which reads the following:
All your files encrypted with strong encryption.
To unlock your files you must pay 1 bitcoin to address :
Search google for how to buy and send bitcoin.
After you send the bitcoin email to :
use all email to communicate with the information of username and pcname and the time you send bitcoins.
When we will confirme the transaction you will receive decryption key and decryption program.
You have 5 days to make transaction after that your decryption key will be deleted. And your files gone forever.
The following file type extensions are affected by the virus:
.1cd, .3d, .3d4, .3df8, .3fr, .3g2, .3gp, .3gp2, .3mm, .7z, .aac, .abk, .abw, .ac3, .accdb, .ace, .act, .ade,
.adi, .adpb, .adr, .adt, .til, .aim, .aip, .ais, .amf, .amr, .amu, .amx, .amxx, .ans, .ap, .ape, .api, .arc, .ari, .arj, .aro, .arr, .ARW,
.asa, .asc, .ascx, .ase, .asf, .ashx, .asmx, .asp, .asr, .avi, .avs, .bak, .bay, .bck, .bdp, .bdr, .bib, .bic, .big, .bik, .bkf, .blp, .bmc,
.bmf, .bml, .bmp, .boc, .bp2, .bp3, .bpl, .bsp, .cag, .cam, .cap, .car, .cbr, .cbz, .cc, .ccd, .cch, .cd, .cdr, .himlen, .cfg, .cgf, .chk, .clr,
.cms, .cod, .col, .cp, .cpp, .CR2, .crd, .crt, .CRW, .cs, .csi, .cso, .ctt, .cty, .cwf, .dal, .dap, .dbb, .dbf, .dbx, .dcp, .DCR, .dcu, .ddc,
.ddcx, .dem, .den, .dev, .dex, .dic, .dif, .dii, .dir, .disk, .divx, .diz, .djvu, .dmg, .DNG, .dob, .doc, .docm, .docx, .dot, .dotm, .dotx,
.dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dvi, .dvx, .dwg, .dxe, .dxf, .DXG, .elf, .eps, .eql, .ejendom, .err, .euc, .evo, .ex, .exif, .f90,
.faq, .fcd, .fdr, .fds, .ff, .fla, .flp, .flv, .for, .fpp, .gam, .gif, .grf, .gthr, .gz, .gzig, .h3m, .h4r, .htm, .html, .idx, .img, .indd, .ink,
.ipa, .isu, .isz, .itdb, .itl, .iwd, .jar, .jav, .java, .jc, .jfif, .jgz, .jif, .jiff, .jpc, .jpeg, .jpf, .jpg, .jpw, .js, .KDC, .kmz, .kwd, .lbi,
.lcd, .lcf, .ldb, .lgp, .log, .lp2, .ltm, .ltr, .lvl, .mag, .man, .map, .max, .mbox, .mbx, .mcd, .md3, .CIS, .MDF, .mdl, .mdn, .mds, .MEF, .mic,
.mip, .mlx, .mod, .moz, .mp3, .mp4,.mpeg, .mpg, .MRW, .msg, .msp, .mxp, .nav, .ncd, .nds, .skib, .nfo, .now, .nrg, .nri, .NRW, .spec, .Episode, .odf,
.odi, .ODM, .Svar, .ODS, .ODT, .oft, .oga, .ogg, .opf, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pak, .pbf, .pbp, .pbs, .pcv, .PDD, .pdf, .PEF,
.PEM, .pfx, .php, .pkb, .pkh, .pl, .plc, .pli, .pm, .png, .pot, .potm, .potx, .ppd, .ppf, .pps, .ppsm, .ppsx, .ppt, .PPTM, .PPTX, .prc, .prt,
.psa, .PSD, .pst, .PTX, .puz, .pwf, .pwi, .pxp, .qbb, .qdf, .qel, .qif, .qpx, .qtq, .qtr, .R3D, .ra, .raf, .rar, .rå, .res, .rev, .rgn,
.rng, .rrt, .rsrc, .rsw, .rte, .rtf, .rts, .rtx, .rum, .run, .rv, .RW2, .RWL, .sad, .saf, .sav, .scm, .scn, .scx, .sdb, .sdc, .sdn, .sds,
.sdt, .sen, .sfs, .sfx, .sh, .shar, .shr, .shw, .slt, .snp, .so, .spr, .sql, .sqx, .SR2, .SRF, .srt, .SRW, .ssa, .std, .stt, .stx, .sud,
.svi, .svr, .swd, .swf, .tar, .tax2013, .tax2014, .tbz2, .tch, .tcx, .text, .tg, .thmx, .tif, .tlz, .tpu, .tpx, .trp, .tu, .tur, .txd,
.txf, .txt, .uax, .udf, .umx, .unr, .unx, .uop, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .val, .vc, .vcd, .vdo,
.ver, .vhd, .vmf, .vmt, .vsi,.vtf, .w3g, .w3x, .wad, .war, .wav, .wave, .waw, .WB2, .wbk, .wdgt, .wks, .wm, .wma, .wmd, .wmdb, .wmmp,
.wmv, .wmx, .wow, .WPD, .wpk, .wpl, .WPS, .wsh, .wtd, .wtf, .wvx, .x3f, .xl, .xla, .xlam, .xlc, .XLK, .xll, .xlm, .xlr, .xls, .xlsb,
.xlsm, .XLSX, .xltx, .xlv, .xlwx, .xpi, .xpt, .xvid, .xwd, .yab, .yps, .z02, .z04, .zap, .zip, .zipx, .zoo
The HugeMe Ransomware is known to delete the Shadow Volume Copies available on the infected computer. This means that data recovery without the use of specialized data recovery software is impossible.
The fact that the virus is based on open-source code means that future improvements can be made easily even by more inexperienced hackers.
How Does HugeMe Ransomware Infect
The HugeMe Ransomware is distributed using the widely used virus distribution strategies. One of the popular options is linking the virus payload in spam email messages. They often use social engineering tricks and pose as coming frm legitimate institutions such as government agencies or financial institutions. In other cases the files can be attached to the documents or carried through infected documents. Malicious macro are one of the popular options that hackers use in the last few months.
Dangerous redirects such as browser hijackers and hacked ad engines and sites can also lead to infections. Another option is the use of infected software installers which bundle the virus along with the installed application. They are found found on iliegal download sites or BitTorrent trackers.
Remove HugeMe Ransomware
For the removal of this ransomware virus, recommendations are to use the instructions we have provided below. For fastest and most efficient removal however, you may want to download and scan your computer with an advanced anti-malware program. It will make sure to protect you in the future as well.
Booting in Safe Mode
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out HugeMe in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” fane.
3) Locate the malicious process of HugeMe, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate HugeMe‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type HugeMe or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type HugeMe Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type HugeMe in the search field.
Automatic Removal of HugeMe
Recover files encrypted by the HugeMe Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. Dog, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: