Ehiz ransomware (virus) - Bonus: Decryption Steps

Ehiz virus Removal Guide

What is Ehiz ransomware?

Ehiz ransomware – a hazardous virus that prevents victims from accessing their files until a ransom is paid

Ehiz ransomwareThe threat is controlling users by scaring them into paying.

Ehiz ransomware is actively spreading on the internet, and as soon as it infects a computer, it immediately locks all non-system files. That's done so the threat actors behind it could demand a ransom. If it's paid, the cybercriminals will supposedly send the necessary software to decrypt the files.

If your computer is infected with this ransomware, you can identify it by the .ehiz extension that's appended to all original filenames. Although the infection is developed to encrypt only personal files (documents, archives, databases, audio/video, etc.), it does extensive damage to system data as well.

The main goal of a ransomware attack is to extort Bitcoins from victims. The asking price for the Ehiz ransomware decryption tool sold by the assailants depends on the victim's quickness. It's stated in the _readme.txt ransom note that if victims contact the criminals via provided emails (, within 72 hours of the attack, a 50% discount will be applied to the sum.

That would lower the amount from $980 to $490. However, we highly advise against reaching out to the assailants, or needless to say, paying the ransom. There might be other methods to regain your precious files, and this article will cover all those possibilities.

We're also going to explain the spreading techniques, functionality peculiarities, and of course, provide the removal options for the article's culprit, which belongs to the infamous Djvu ransomware family. Viruses from this lineage have been roaming around since 2018, and since we've been researching them from the get-go, we sure know a thing or two.

Ehiz virusThe virus aims to get money by locking files.

If you'd ask us “how Ehiz ransomware got on my computer?”, the answer would be most likely through a software (game, application, etc.) crack that you've downloaded from a file-sharing platform. Although other means of infection are possible, this one is the most probable.

The most important thing when your computer gets infected with ransomware is not to panic. The deed is done. Now all that matters is how you respond to this mishap. It's easy for us to say that you should remove Ehiz virus from your device when it's not our data that's been encrypted.

But since we're doing this for a long time, we still highly recommend withholding from the urge to end this nightmare by succumbing to the assailants' demands. They could use that money to infect more computers of random innocent people like you, so the responsible thing would be to eliminate it. Below you'll find a brief summary of the threat and comprehensive instructions for its removal and possible file recovery options.

name Ehiz virus
Type Ransomware, file-locking parasite, cryptovirus
Family Djvu/STOP
Infection symptoms All personal files are renamed, and you cannot open any of them; ransom note appears on the desktop and in random folders
appended file extension .ehiz
Ransom note _readme.txt
Distribution This family of malware tends to spread around using game cracks, pirated software, and other files distributed via torrent sites and malicious pages. Ransomware creators can deliver the payload of this virus via email attachments
File recovery You might be able to recover encrypted files with the Emsisoft decryption tool or other software. All possible techniques are explained below
Elimination Removal should be done with trustworthy anti-malware software that will ensure that the cryptovirus infection won't renew
System health check This type of infection causes havoc on system files and settings, resulting in various abnormal system behavior. Resolve all system-related irregularities by running a scan with the FortectIntego PC diagnostics tool

When the ransomware infects the machine and locks those commonly used files, the system can get slower during encryption. Other than that, there are no particular symptoms of the threat. Users might not notice the infection because the Djvu ransomware family that the Ehiz virus belongs to tends to show Windows Update and other process messages to mask the computer's slowness.

Users get scared when the ransom message is delivered, so many questions get asked by victims. One of the more common – does paying help to decrypt files? The short answer to that is no. It is very rare for criminals to send reliable decryption tools after the payment is received. In most cases, threat actors leave the system encoded and disappear without giving any solution for the victim.

After the ransomware infection, what you can do instead of paying the demanded ransom depends on the severity of the infection. We have a few pointers before you move on to termination and file recovery:

  • Distribution of such malicious files and holding property for ransom is a criminal act, so you can report the encryption to law enforcement.
  • Avoiding contact with criminals is advised because it is rarely possible to get your files decrypted by them.
  • Removing infection is important, but that is not the same as unlocking those files.
  • Malware elimination can be done using proper AV tools that can detect the infection.
  • Decryption tools get developed over time, but not all victims might get help from those since threat actors often change their tactics.
  • Djvu family relies on offline IDs vs Online IDs system, so some of the people can rely on existing decryption tools, but others need additional solutions.

Ransom note messageRansomware is focusing on money demands directly displayed as text files.

Recovery and removal instruction for Ehiz virus

As we've mentioned before, the worst that could've happened already happened. We're very glad that you chose us to guide you through this journey. Below you'll find four steps. Please don't skip any of them so that the removal is done correctly, and the ransomware won't have any chances of renewal on your infected device, and afterward, you could enjoy it anew. The message in _readme.txt might seem convincing, but criminals should never be trusted and ransom paying is not the solution.

Step 1.

If you discover Ehiz file virus attack taking place, disconnect your internet cable and disable WiFi immediately. Also, disconnect any media connected to your device, such as USB drives, NAS (Network Attached Storage), and similar. When the ransomware is done with its bidding, a ransom note will appear on the desktop and in random folders.

Then, if you didn't keep backups, you have to copy all (or essential) encrypted data into an offline storage device (SSD, USB, etc.). The locked data doesn't hold any malicious code, so it's safe to keep it, meaning it won't encrypt any other data saved on your choice of storage device. Only then proceed to the further step.

Step 2.

Download Malwarebytes or SpyHunter 5Combo Cleaner. Either of these reputable anti-malware tools is essential to remove Ehiz virus successfully. When you install the AV engine, update its virus signatures. Then perform a full system scan. A proper tool will identify,[1] locate, and delete the infection with all additional modules or any other malware.

Sometimes, ransomware can edit system files and settings, preventing you from accessing security-related websites and launching security software. If that's the case, you'll have to perform this step in Safe Mode with Networking. For your convenience, instructions on how to accomplish that are posted at the bottom of the article.

Ehiz virus detectionThe virus can be indicated as dangerous or malicious by AV tools, so you need such an app to remove it.

The need for a reliable anti-malware tool is once more reiterated in the VirusTotal report[2] which clearly shows that 55 out of 70 AV engines have identified Ehiz file virus and prevented it from infecting the computer. Here are some of its detection names:

  • Win32:RansomX-gen [Ransom]
  • A Variant Of Win32/Kryptik.HLAP
  • Trojan.MalPack.GS
  • Trojan:Win32/Azorult.RT!MTB
  • ML.Attribute.HighConfidence

It would be great if everyone understood the dangers of ransomware attacks. The best way to defend against them is to make a habit of updating your anti-malware software and scanning your computer with it at least twice a week.

Step 3.

All Djvu family ransomware causes havoc on your computer's system files and settings to prolong its unwelcomed stay. Ehiz ransomware edits the Registry, modifies the host file, deletes Shadow Volume Copies,[3] and so on. We've briefly mentioned the outcome of that in the previous step.

Thus when the removal is completed, you have to repair everything that the infection has done. To fix everything manually, you have to have extensive IT knowledge. If you don't consider yourself a professional when it comes to computers, IT professionals[4] highly advise downloading the patented FortectIntego PC repair tool.

It will ensure that the Registry keys and values are in order and take care of other elements on your device, preventing it from crashing, freezing, exhibiting any other abnormal behavior, most importantly, Ehiz virus renewal. To make things easier, here are detailed instruction on how to accomplish this step:

  • Download the application by clicking on its name above
  • Click on the ReimageRepair.exe that appears on your browser
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install
    Reimage installation
  • The analysis of your machine will begin immediately after the program is successfully installedReimage scan
  • The results will be listed in the Summary
  • You can now click on each of the issues and fix them one by one
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

By employing FortectIntego, you would not have to worry about future computer issues, as most of them could be fixed automatically. Most importantly, you could avoid the time-consuming and irritating process of Windows reinstallation in case things go very wrong.

Step 4.

Only after you've completed each and every of the last three steps can you proceed to data recovery. If you had backups of all your data, you could safely retrieve them. As we've mentioned before, Ehiz file virus belongs to the Djvu ransomware family. Since it's one of the most perversive malware strains circulating the internet, there are companies helping victims to recover files for free.

One of those companies is Emsisoft. It offers free decryption software that might help recover data encrypted by ransomware from the lineage mentioned above. Although, there's no guarantee that it will work because the article's culprit is a brand new variant. Either way, stay hopeful and try it:

  • Download the app from the official Emsisoft website.Ehiz ransomware
  • After pressing the Download button, a small pop-up at the bottom, titled decrypt_STOPDjvu.exe, should appear – click it.
    Ehiz ransomware
  • If User Account Control (UAC) message pops up, click Yes.
  • Agree to License Terms by pressing Yes.
    Ehiz ransomware
  • After Disclaimer appears, press OK.
  • The tool should automatically identify the affected folders, although you can also do it by pressing Add folder at the bottom.
    Ehiz ransomware
  • Press Decrypt.
    Ehiz ransomware

There are three possible outcomes:

  1. Decrypted!” is shown under files that have been successfully unlocked and can be used again.
  2. Error: Unable to decrypt file with ID:” means that the keys for Ehiz ransomware have not yet been retrieved, so you should try later.
  3. This ID appears to be an online ID, decryption is impossible” – this tool won't help you decrypt your locked data.

If the Emsisoft decryptor doesn't work and your files are stilled locked up, that doesn't mean that you can't recover Ehiz files. There might be other ways to do that, and we've included them at the bottom of the article. Please try them out, as succumbing to the assailants' demands is the worst option that you could take.

Criminals could use that money to expand their empire of dirt. The ransom money would finance the development of more sophisticated computer threats and means to distribute them. Please do the responsible thing and don't forward any money to your assailants.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Ehiz virus. Follow these steps

Isolate the infected computer

Some ransomware strains aim to infect not only one computer but hijack the entire network. As soon as one of the machines is infected, malware can spread via network and encrypt files everywhere else, including Network Attached Storage (NAS) devices. If your computer is connected to a network, it is important to isolate it to prevent re-infection after ransomware removal is complete.

The easiest way to disconnect a PC from everything is simply to plug out the ethernet cable. However, in the corporate environment, this might be extremely difficult to do (also would take a long time). The method below will disconnect from all the networks, including local and the internet, isolating each of the machines involved.

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and Internet Network and internet
  • Click Network and Sharing Center Network and internet 2
  • On the left, pick Change adapter settings Network and internet 3
  • Right-click on your connection (for example, Ethernet), and select Disable Network and internet 4
  • Confirm with Yes.

If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead.

Restore Windows "hosts" file to its original state

Some ransomware might modify Windows hosts file in order to prevent users from accessing certain websites online. For example, Djvu ransomware variants add dozens of entries containing URLs of security-related websites, such as Each of the entries means that users will not be able to access the listed web addresses and will receive an error instead.

Here's an example of “hosts” file entries that were injected by ransomware:

Hosts file

In order to restore your ability to access all websites without restrictions, you should either delete the file (Windows will automatically recreate it) or remove all the malware-created entries. If you have never touched the “hosts” file before, you should simply delete it by marking it and pressing Shift + Del on your keyboard. For that, navigate to the following location:


Delete Windows "hosts" file

Restore files using data recovery software

Since many users do not prepare proper data backups prior to being attacked by ransomware, they might often lose access to their files permanently. Paying criminals is also very risky, as they might not fulfill the promises and never send back the required decryption tool.

While this might sound terrible, not all is lost – data recovery software might be able to help you in some situations (it highly depends on the encryption algorithm used, whether ransomware managed to complete the programmed tasks, etc.). Since there are thousands of different ransomware strains, it is immediately impossible to tell whether third-party software will work for you.

Therefore, we suggest trying regardless of which ransomware attacked your computer. Before you begin, several pointers are important while dealing with this situation:

  • Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
  • Only attempt to recover your files using this method after you perform a scan with anti-malware software.

Install data recovery software

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
    Launch installer
  3. Follow on-screen instructions to install the software. Install program
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from. Select what to recover
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned. Select Deep scan
  8. Press Scan and wait till it is complete. Scan
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files. Recover files

Create data backups to avoid file loss in the future

One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.

Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:

  • Backup on a physical external drive, such as a USB flash drive or external HDD.
  • Use cloud storage services.

The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.

Using Microsoft OneDrive

OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:

  1. Click on the OneDrive icon within your system tray.
  2. Select Help & Settings > Settings.
    Go to OneDrive settings
  3. If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
    Add OneDrive account
  4. Once done, move to the Backup tab and click Manage backup.
    Manage backup
  5. Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
  6. Press Start backup.
    Pick which folders to sync

After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).

Using Google Drive

Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.

You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.

  1. Download the Google Drive app installer and click on it.
    Install Google Drive app
  2. Wait a few seconds for it to be installed. Complete installation
  3. Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
    Google Drive Sign in
  4. Click Get Started. Backup and sync
  5. Enter all the required information – your email/phone, and password. Enter email/phone
  6. Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
  7. Once done, pick Next. Choose what to sync
  8. Now you can select to sync items to be visible on your computer.
  9. Finally, press Start and wait till the sync is complete. Your files are now being backed up.

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Ehiz and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions