What is MoWare H.F.D ransomware? And how does it work?
MoWare H.F.D ransomware is a new file-encrypting virus that is created through the HiddenTear open source platform. HiddenTear was released in 2015 and has already spawned a huge number of ransomware and one of them is the MoWare H.F.D ransomware. Your computer, once infected with this ransomware, will be scanned for different 666 file types. After it finds its targeted files, it then appends its file extension which is H_F_locked to the files’ original extensions. It uses RSA 4096 encryption algorithm to encrypt your files and uses a strong key to lock your files.
According to our researchers, the MoWare H.F.D ransomware will try to distort data by using XOR cipher during the encryption process. Once it completes encrypting your files, the ransomware opens a new window containing the ransom note which has the following message:
“INFORMATION SECURITY
Your Personal Files has been Encrypted and Locked
Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of MoWare H.F.D will not restore access ti your encrypted files.
Frequently Asked Questions
What happened to my files ? understanding the issue
How can i get my files back ? the only way to restore your files
What should i do next ? Buy decryption key
Now you have the last chance to decrypt your files.
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.02 BTC to address: 15nbyuacLHfm3FrC5hz1nigNVqEbDwRUJq
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at [email protected]”
As you can see, the crooks behind the MoWare H.F.D ransomware will tell you that removing the infection won’t help in restoring your files and that if you want to access your data, you have to pay 0.02 Bitcoins within the span of 4 days and if you fail to give the demanded ransom, the amount will increase up to 0.05 Bitcoins, which is half the original amount. And even if this ransomware provided you complete steps and details on how to pay the ransom, you should not, in any way ever give these crooks what they want for it will only encourage them to continue creating this kind of nasty infection and besides paying the ransom won’t guarantee that you’ll get your files back. Don’t worry just yet. This article will provide you a way to recover your files together with the MoWare H.F.D ransomware removal instructions.
How is MoWare H.F.D ransomware distributed?
This ransomware is distributed through spam emails. The attackers created an email server dedicated to spread spam emails disguising as legitimate invoices, receipts, etc. to trick users into opening them and download the attached which is MoWare H.F.D.exe. These kinds of spam emails do not contain much text and will point you directly to the infected attachment.
Follow the removal instructions below to eliminate MoWare H.F.D ransomware:
Step 1: Enable the disabled Windows features.
- Press Win + R keys to launch Run.
- Type in gpedit.msc in the box and press Enter to open Group Policy.
- Under Group Policy, navigate to:
User Configuration\Administrative Templates\System
- After that, open Prevent access to the command prompt.
- Select Disable to enable cmd
- Click the OK button
- After that, go to:
Configuration\Administrative Templates\System
- Double click on the Prevent Access to registry editing tools.
- Choose Disabled and click OK.
- Navigate to :
User Configuration\Administrative Templates\System>Ctrl+Alt+Del Options
- Double click on Remove Task Manager.
- And then set its value to Disabled.
Step 2: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the any suspicious processes that can be related to the MoWare H.F.D ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Find MoWare H.F.D ransomware or any suspicious program and then Uninstall.
Step 4: Open the File Explorer by pressing the Windows key + E.
Step 5: Go to the directories listed below and delete anything suspicious in it.
-
%AppData%\MoWare_H\MoWare H.F.D\1.0.0.0\
-
%USERPROFILE%\Downloads
-
%USERPROFILE%\Desktop
-
%TEMP%
Step 6: Look for MoWare H.F.D.exe or any malicious executable file that could be related to MoWare H.F.D ransomware
Step 7: Right-click on it and click Delete.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that MoWare H.F.D ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 8.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 9: Navigate to the path below:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 10: Delete the any suspicious registry value.
Step 11: Close the Registry Editor.
Step 12: Empty the Recycle Bin.
Step 13: TRY to decrypt your encrypted files using the Windows Previous Versions feature.
Keep in mind that decrypting your encrypted files using Windows’ Previous Versions feature will only be effective IF MoWare H.F.D ransomware hasn’t deleted their shadow copies. But still, this is one of the safest and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the Wannacry 3.0 ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
-
Turn on your computer. If it’s already on, you have to reboot it.
-
After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
-
To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit Enter.
-
Windows will now load the Safe Mode with Networking.
-
If done correctly, the Windows Run Box will show up.
-
Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
-
A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
-
Click OK to launch SpyRemover Pro.
-
Run SpyRemover Pro and perform a full system scan.
-
Register SpyRemover Pro to protect your computer from future threats.