A virus, named Hakuna Matata has been spotted by malware researchers to use RSA-2048 and AES-256 ciphers to encrypt the files, adding it’s .HakunaMatata file extension to the encrypted files. This type of ransomware threat imitates the animation Timon and Pumba by Disney, but bear In mind that it is anything but an animation. The malware aims to extort it’s victims for serious amount of BitCoin paymen, leaving a Recovers files yako.html file which has the ransom note displayed on the user’s screen. If you have been infected by the .HakunaMatata file virus, please refer to removing it by reading the following article.
How Does the .HakunaMatata Files Virus Work?
This ransomware infection is from the file encryption kind. This means that if infected, Hakuna Matat will encode your files on sight, hence making them unable to be opened and used.
The virus does this by firstly modifying the Windows Registry. This can happen in several different ways. One of those ways is to modify .dll files belonging in the %WINDIR%, related to the operation of the Windows Registry Editor. This may result in adding of registry values to make the malicious executables run on Windows Startup.
When the virus encrypts the files, it looks for types of data that is often used, comme videos, MS Office files, Adobe Reader .PDF’s, pictures, music and other often used data.
After this has been done, the virus appends the .HakunaMatata file extension to the encrypted files and their icon has been changed. The encrypted files, look like the following example:
After this, Hakuna Matata ransomware makes it’s presence to be known for the user, adding the “Recovers files yako.html” ransom note for the victim to see. The note asks to contact the cyber-criminals via the BitMessage service, giving the following Bitmessage ID:
Users are left with nothing but to wonder what has happened and what they can do about it. They are usually demanted to pay the sum of 0.5 BTC. After encryption, the Hakuna Matata may also execute the “vssadmin dele shadows /all /quiet”.
Hakuna Matata Virus – How Did I Get Infected
The virus may be delivered via multiple methods, the primary one of which is if spam e-mails are used.
Most spam messages sent out there that may have .HakunaMatata file virus as an either malicious attachment or a virus, tend to appear as if they were legitimate mails. This means that they resemble various legitimate vendors, such as PayPal, FedEx and other companies.
Removing .HakunaMatata Ransomware and Getting Back the Files
In order to remove this ransomware virus, please guide yourself by the removal instructions below. For maximum effect, experts in the cyber-security field often recommend tools they have designed themselves, like anti-malware software which will remove all the objects modified by the .HakunaMatata virus and in addition to this protect the computer in the future too. If you want to restore .HakunaMatata files after removing the malware, advices are to focus on trying some of our suggestions below. They may not get all your files back, but will most likely restore some of them.
Booting in Safe Mode
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out HakunaMatata in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” languette.
3) Locate the malicious process of HakunaMatata, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate HakunaMatata‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type HakunaMatata or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type HakunaMatata Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type HakunaMatata in the search field.
Automatic Removal of HakunaMatata
Recover files encrypted by the HakunaMatata Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. Cependant, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: