Mhkwl ransomware (virus) - Recovery Instructions Included

Mhkwl virus Removal Guide

What is Mhkwl ransomware?

Mhkwl ransomware uses randomized strings for file encryption

Mhkwl ransomwareMhkwl ransomware is a malicious program designed for money extortion

Ransomware is a type of malicious software that has been gaining popularity among cybercriminals for many years now. Its main goal is to lock all personal files on the infected Windows system and network and then demand a ransom for their retrieval. Mhkwl ransomware belongs to this category of malware and started targeting mainly businesses and regular computer users in late October 2021.

While it is yet not known how malware is propagated (although it is likely to be phishing emails or software vulnerabilities[1] within the locally used software), the damage that could be done by this infection is immense. Once on the machine, malware changes various system settings, imports malicious files and spreads the infection via the network if the affected machine is connected to one.

The main purpose of the Mhkwl virus is to lock pictures, documents, databases, pictures, and other important files on the infected system. This is process is conducted with the help of secure encryption algorithms such as AES or RSA, making key deciphering impossible with even the most powerful computers. At this time, users would notice that none of the files can be opened – they lose their original icons and are also appended with a .[random string].mhkwl extension.

After data locking, the malware also delivers a ransom note etrU_HOW_TO_DECRYPT.txt, which claims that the only method to recover files is by paying a ransom. It is yet unknown how much the attackers ask for, but usually, payments are performed using Bitcoin cryptocurrency. For contact purposes, hackers ask victims to download the TOR browser and enter an Onion web address. Additionally, actors claim they would leak sensitive company information to the public if the demands are not fulfilled.

Name Mhkwl ransomware
Type Ransomware, data locking virus
File extension [random string].mhkwl
Ransom note etrU_HOW_TO_DECRYPT.txt
Contact hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion
File Recovery If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below
Malware removal Perform a full system scan with powerful security software, such as SpyHunter 5Combo Cleaner
System fix Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the OS and avoid its reinstallation, we recommend scanning it with the ReimageIntego repair tool

The ransom note

While a lot of malware thrives on being invisible to users operating the computer, cybercriminals make sure that the malicious program runs in the background without showing and windows and even employ techniques that would obfuscate the virus from security solutions. Ransomware, on the other hand, tries to be stealthy only until it fulfills its goal – data locking. Soon after that, a ransom note is delivered in a way that would ensure victims see what is precisely going on and what to do next.

There are all types of ransom notes used by cybercriminals, although by far the most popular one is a simple text file such as etrU_HOW_TO_DECRYPT.txt. In this case, victims receive the following information after reading it:

Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.

To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.

Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Login:
Password:

To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)

Follow the guidelines below to avoid losing your data:

– Do not modify, rename or delete *.key.mhkwl files. Your data will be
undecryptable.
– Do not modify or rename encrypted files. You will lose them.
– Do not report to the Police, FBI, etc. They don\'t care about your business.
They simply won\'t allow you to pay. As a result you will lose everything.
– Do not hire a recovery company. They can\'t decrypt without the key.
They also don\'t care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
– Do not reject to purchase. Exfiltrated files will be publicly disclosed.

There are several tactics that ransomware authors use to retrieve Bitcoin payments from users or companies. In this case, the attackers try to claim that none of the usual entities that should be relied on after a cyberattack are worth the time as they “don't care about you.” According to this message, cybercriminals are the ones that should be trusted, which is not true at all.

Mhkwl ransomwareMalware authors deliver a ransom note so that victims have means to contact them and proceed with the payment for the file decryptor

If anything, they are the least trustworthy people on the planet – there are plenty of examples where ransomware authors never sent the required decryption key after the payment and sometimes even published confidential information as well.

Therefore, you should not trust the criminals and instead take care of Mhkwl ransomware removal and alternative data restoration methods, which you can find below.

Steps to take after being infected

Ransomware infection is the of the worst experiences for computer users as well as corporations. Nobody expects it to strike when it does, although it soon becomes clear that damage could be immense. Many regular computer users also have a lot of misconceptions about ransomware and are not quite sure how it all works. Thus, we provide a comprehensive guide that shows you what to do in case of a ransomware attack.

Step 1. Disconnect all affected machines from the network

Disconnecting the affected machine from the internet is a mandatory step that ensures that the attackers can no longer communicate with it. If you are a home user, you can simply plug out the ethernet cable or switch off the WiFi via the taskbar. In the corporate environments, you can disconnect all the networked devices as follows:

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and Internet
  • Click Network and Sharing Center
  • On the left, pick Change adapter settingsNetwork and internet 3
  • Right-click on your connection (for example, Ethernet), and select DisableNetwork and internet 4
  • Confirm with Yes.

Step 2. Remove the Mhkwl virus

Once the machine is no longer connected to the internet, you should take care of the malware removal process. While some ransomware self-destructs after performing file encryption, it is still mandatory to use security software when dealing with it, as it might leave several malicious modules, be spread with other malware, or continue encrypting data while it is active on the machine.

The best way to bypass malware functions is by accessing Safe Mode and performing the scan from there.

Windows 7 / Vista / XP

  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.Windows XP/7

Windows 10 / Windows 8

  1. Right-click on the Start button and select Settings.
  2. Scroll down to pick Update & Security.
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find the Advanced Startup section.
  5. Click Restart now.Recovery
  6. Select Troubleshoot.Choose an option
  7. Go to Advanced options.Advanced options
  8. Select Startup Settings.Startup settings
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.Press F5 to enable Safe Mode with Networking

After reaching Safe Mode, launch SpyHunter 5Combo Cleaner, Malwarebytes, or another antivirus, update it with the latest definitions, and perform a full system scan to remove malware and all its components from the system.

Note: removing malware from the system will not restore your files. You need to recover them via backups or by using alternative methods we describe in the next section.

Step 3. Attempt file recovery

Paying cybercriminals for a decryption tool is by far the worst solution, as it might result in financial losses. There are plenty of instances where crooks failed to deliver a working decryptor after receiving money, so one can never be sure. Besides, paying them only encourages them to create more dangerous malware and spread it to other users or companies – it only proves to them that the illegal money business actually works.

If you have backups, you should skip these steps and proceed with the following paragraphs. If you don't have any backups, you should make a copy of all the encrypted files before you proceed, as they might get corrupted in the process.

Install data recovery software

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
    Mhkwl ransomware
  3. Follow on-screen instructions to install the software.Install program
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from.
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  8. Press Scan and wait till it is complete.
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files.Recover files

Try to find a decryptor

Security experts are known to work on decryption tools for major ransomware strains. In some cases, flaws within the encryption process can be found or criminals' servers seized by the lay authority agencies. In any case, you could look for decryptors on the following pages, although keep in mind it might take a while until there's a working one made.

Step 4. Repair damaged system files

Ransomware usually targets files that are important for personal use, such as documents or pictures. However, during the process of infection, the malware also performs a great number of changes to the operating system, some of which can damage system files.

This can later cause Windows to fail loading programs, show errors, crashes, BSODs, and other issues. Unfortunately, security software is not capable of remediating these issues, as its main job is to remove all the malicious files and stop malware from operating and causing even more damage.

In order to address these problems, we strongly recommend using software designed for that purpose. The other option is to reinstall the system altogether, which could take a lot of time and cause loss of valuable settings configurations or applications. Instead, follow these steps:

  • Download ReimageIntego
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

Step 5. Report to authorities

Since Mhkwl ransomware mainly targets businesses and corporations, it is important you report the incident to the authorities as soon as possible. Additionally, the US authorities are pushing for a law that would make ransom payment reports to authorities a mandatory process, so keep that in mind.[2]

It goes without saying that reports make it easier for governmental agencies such as the FBI to catch the culprits and shut down their operations for good. Likewise, the information can be used by security experts to analyze the attack and figure out the countermeasures, as well as free decryption tools. Here are a few links you could use:

Internet Crime Complaint Center IC3

While many corporations have working backups, they sometimes might be breached and affected as well, so it is important to make sure that adequate procedures are undertaken in order to prevent such a course of events. If you are a regular computer user, you should refer to the instructions below that would help you create backups of your files on remote cloud servers for better protection against ransomware in the future.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Mhkwl virus. Follow these steps

Create data backups to avoid file loss in the future

One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.

Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:

  • Backup on a physical external drive, such as a USB flash drive or external HDD.
  • Use cloud storage services.

The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.

Using Microsoft OneDrive

OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:

  1. Click on the OneDrive icon within your system tray.
  2. Select Help & Settings > Settings.
    Go to OneDrive settings
  3. If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
    Add OneDrive account
  4. Once done, move to the Backup tab and click Manage backup.
    Manage backup
  5. Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
  6. Press Start backup.
    Pick which folders to sync

After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).

Using Google Drive

Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.

You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.

  1. Download the Google Drive app installer and click on it.
    Install Google Drive app
  2. Wait a few seconds for it to be installed. Complete installation
  3. Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
    Google Drive Sign in
  4. Click Get Started. Backup and sync
  5. Enter all the required information – your email/phone, and password. Enter email/phone
  6. Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
  7. Once done, pick Next. Choose what to sync
  8. Now you can select to sync items to be visible on your computer.
  9. Finally, press Start and wait till the sync is complete. Your files are now being backed up.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mhkwl and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.

 

Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References