Mhkwl ransomware (virus) - Recovery Instructions Included
Mhkwl virus Removal Guide
What is Mhkwl ransomware?
Mhkwl ransomware uses randomized strings for file encryption
Mhkwl ransomware is a malicious program designed for money extortion
Ransomware is a type of malicious software that has been gaining popularity among cybercriminals for many years now. Its main goal is to lock all personal files on the infected Windows system and network and then demand a ransom for their retrieval. Mhkwl ransomware belongs to this category of malware and started targeting mainly businesses and regular computer users in late October 2021.
While it is yet not known how malware is propagated (although it is likely to be phishing emails or software vulnerabilities[1] within the locally used software), the damage that could be done by this infection is immense. Once on the machine, malware changes various system settings, imports malicious files and spreads the infection via the network if the affected machine is connected to one.
The main purpose of the Mhkwl virus is to lock pictures, documents, databases, pictures, and other important files on the infected system. This is process is conducted with the help of secure encryption algorithms such as AES or RSA, making key deciphering impossible with even the most powerful computers. At this time, users would notice that none of the files can be opened – they lose their original icons and are also appended with a .[random string].mhkwl extension.
After data locking, the malware also delivers a ransom note etrU_HOW_TO_DECRYPT.txt, which claims that the only method to recover files is by paying a ransom. It is yet unknown how much the attackers ask for, but usually, payments are performed using Bitcoin cryptocurrency. For contact purposes, hackers ask victims to download the TOR browser and enter an Onion web address. Additionally, actors claim they would leak sensitive company information to the public if the demands are not fulfilled.
Name | Mhkwl ransomware |
---|---|
Type | Ransomware, data locking virus |
File extension | [random string].mhkwl |
Ransom note | etrU_HOW_TO_DECRYPT.txt |
Contact | hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion |
File Recovery | If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below |
Malware removal | Perform a full system scan with powerful security software, such as SpyHunter 5Combo Cleaner |
System fix | Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the OS and avoid its reinstallation, we recommend scanning it with the FortectIntego repair tool |
The ransom note
While a lot of malware thrives on being invisible to users operating the computer, cybercriminals make sure that the malicious program runs in the background without showing and windows and even employ techniques that would obfuscate the virus from security solutions. Ransomware, on the other hand, tries to be stealthy only until it fulfills its goal – data locking. Soon after that, a ransom note is delivered in a way that would ensure victims see what is precisely going on and what to do next.
There are all types of ransom notes used by cybercriminals, although by far the most popular one is a simple text file such as etrU_HOW_TO_DECRYPT.txt. In this case, victims receive the following information after reading it:
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/Login:
Password:To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)Follow the guidelines below to avoid losing your data:
– Do not modify, rename or delete *.key.mhkwl files. Your data will be
undecryptable.
– Do not modify or rename encrypted files. You will lose them.
– Do not report to the Police, FBI, etc. They don\'t care about your business.
They simply won\'t allow you to pay. As a result you will lose everything.
– Do not hire a recovery company. They can\'t decrypt without the key.
They also don\'t care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
– Do not reject to purchase. Exfiltrated files will be publicly disclosed.
There are several tactics that ransomware authors use to retrieve Bitcoin payments from users or companies. In this case, the attackers try to claim that none of the usual entities that should be relied on after a cyberattack are worth the time as they “don't care about you.” According to this message, cybercriminals are the ones that should be trusted, which is not true at all.
Malware authors deliver a ransom note so that victims have means to contact them and proceed with the payment for the file decryptor
If anything, they are the least trustworthy people on the planet – there are plenty of examples where ransomware authors never sent the required decryption key after the payment and sometimes even published confidential information as well.
Therefore, you should not trust the criminals and instead take care of Mhkwl ransomware removal and alternative data restoration methods, which you can find below.
Steps to take after being infected
Ransomware infection is the of the worst experiences for computer users as well as corporations. Nobody expects it to strike when it does, although it soon becomes clear that damage could be immense. Many regular computer users also have a lot of misconceptions about ransomware and are not quite sure how it all works. Thus, we provide a comprehensive guide that shows you what to do in case of a ransomware attack.
Step 1. Disconnect all affected machines from the network
Disconnecting the affected machine from the internet is a mandatory step that ensures that the attackers can no longer communicate with it. If you are a home user, you can simply plug out the ethernet cable or switch off the WiFi via the taskbar. In the corporate environments, you can disconnect all the networked devices as follows:
- Type in Control Panel in Windows search and press Enter
- Go to Network and Internet
- Click Network and Sharing Center
- On the left, pick Change adapter settings
- Right-click on your connection (for example, Ethernet), and select Disable
- Confirm with Yes.
Step 2. Remove the Mhkwl virus
Once the machine is no longer connected to the internet, you should take care of the malware removal process. While some ransomware self-destructs after performing file encryption, it is still mandatory to use security software when dealing with it, as it might leave several malicious modules, be spread with other malware, or continue encrypting data while it is active on the machine.
The best way to bypass malware functions is by accessing Safe Mode and performing the scan from there.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on the Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find the Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.
After reaching Safe Mode, launch SpyHunter 5Combo Cleaner, Malwarebytes, or another antivirus, update it with the latest definitions, and perform a full system scan to remove malware and all its components from the system.
Note: removing malware from the system will not restore your files. You need to recover them via backups or by using alternative methods we describe in the next section.
Step 3. Attempt file recovery
Paying cybercriminals for a decryption tool is by far the worst solution, as it might result in financial losses. There are plenty of instances where crooks failed to deliver a working decryptor after receiving money, so one can never be sure. Besides, paying them only encourages them to create more dangerous malware and spread it to other users or companies – it only proves to them that the illegal money business actually works.
If you have backups, you should skip these steps and proceed with the following paragraphs. If you don't have any backups, you should make a copy of all the encrypted files before you proceed, as they might get corrupted in the process.
Install data recovery software
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.
- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.
- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.
- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.
Try to find a decryptor
Security experts are known to work on decryption tools for major ransomware strains. In some cases, flaws within the encryption process can be found or criminals' servers seized by the lay authority agencies. In any case, you could look for decryptors on the following pages, although keep in mind it might take a while until there's a working one made.
- No More Ransom Project
- Free Ransomware Decryptors by Kaspersky
- Free Ransomware Decryption Tools from Emsisoft
- Avast decryptors
Step 4. Repair damaged system files
Ransomware usually targets files that are important for personal use, such as documents or pictures. However, during the process of infection, the malware also performs a great number of changes to the operating system, some of which can damage system files.
This can later cause Windows to fail loading programs, show errors, crashes, BSODs, and other issues. Unfortunately, security software is not capable of remediating these issues, as its main job is to remove all the malicious files and stop malware from operating and causing even more damage.
In order to address these problems, we strongly recommend using software designed for that purpose. The other option is to reinstall the system altogether, which could take a lot of time and cause loss of valuable settings configurations or applications. Instead, follow these steps:
- Download FortectIntego
- Click on the ReimageRepair.exe
- If User Account Control (UAC) shows up, select Yes
- Press Install and wait till the program finishes the installation process
- The analysis of your machine will begin immediately
- Once complete, check the results – they will be listed in the Summary
- You can now click on each of the issues and fix them manually
- If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.
Step 5. Report to authorities
Since Mhkwl ransomware mainly targets businesses and corporations, it is important you report the incident to the authorities as soon as possible. Additionally, the US authorities are pushing for a law that would make ransom payment reports to authorities a mandatory process, so keep that in mind.[2]
It goes without saying that reports make it easier for governmental agencies such as the FBI to catch the culprits and shut down their operations for good. Likewise, the information can be used by security experts to analyze the attack and figure out the countermeasures, as well as free decryption tools. Here are a few links you could use:
- USA – Internet Crime Complaint Center IC3
- United Kingdom – ActionFraud
- Canada – Canadian Anti-Fraud Centre
- Australia – ScamWatch
- New Zealand – ConsumerProtection
- Germany – Polizei
- France – Ministère de l'Intérieur
While many corporations have working backups, they sometimes might be breached and affected as well, so it is important to make sure that adequate procedures are undertaken in order to prevent such a course of events. If you are a regular computer user, you should refer to the instructions below that would help you create backups of your files on remote cloud servers for better protection against ransomware in the future.
Getting rid of Mhkwl virus. Follow these steps
Create data backups to avoid file loss in the future
One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.
Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:
- Backup on a physical external drive, such as a USB flash drive or external HDD.
- Use cloud storage services.
The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.
Using Microsoft OneDrive
OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:
- Click on the OneDrive icon within your system tray.
- Select Help & Settings > Settings.
- If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
- Once done, move to the Backup tab and click Manage backup.
- Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
- Press Start backup.
After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).
Using Google Drive
Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.
You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.
- Download the Google Drive app installer and click on it.
- Wait a few seconds for it to be installed.
- Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
- Click Get Started.
- Enter all the required information – your email/phone, and password.
- Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
- Once done, pick Next.
- Now you can select to sync items to be visible on your computer.
- Finally, press Start and wait till the sync is complete. Your files are now being backed up.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mhkwl and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.
- ^ Thomas Holt. What Are Software Vulnerabilities, and Why Are There So Many of Them?. Scientific American. Science magazine.
- ^ Carly Page. A new US bill would force companies to disclose ransomware payments. Tech Crunch. Startup and Technology News.