Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Sep 2017

How to remove MoWare H.F.D ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

MoWare developers continue working on new versions

Ransom note by MoWare H.F.D ransomware virus

MoWare H.F.D virus functions as a file-encrypting virus which is generated on the basis of HiddenTear open source ransomware project. In the ransom file, perpetrators alert users that the malware employs RSA-4096 encryption algorithm and locks files with a cryptographically strong key; the researcher has shown that it tries to distort data by using XOR cipher[1] and appending .H_F_D_locked file extension. While the overall activity of the threat remains quite low, once in a while, new samples emerge in the cyber space. 

Following data encryption, it opens a program window that includes ransom note. Cyber criminals emphasize that MoWare removal does not help to restore encrypted files. According to crooks, in order to get back access to the data, victims need to pay 0.02 Bitcoins within 4 days time to acquire the decryption key. 

When the timer, provided in the ransom note, turns to zero and cyber criminals will not receive a payment, the size of the ransom increase to 0.05 Bitcoins. Despite the fact cyber criminals provided detailed information about data encryption and recovery, you should not analyze it and follow the instructions. It seems that malware is not developed properly and it may not encrypt your files.

Thus, all you have to do is to remove MoWare H.F.D with FortectIntego or MalwarebytesMalwarebytes and protect your device from other cyber threats. If ransomware managed to lock your files, at the end of the article, you could find an explanation how to recover them without paying the ransom.

The peculiarities of the virus

On the affected device MoWare H.F.D is supposed to scan the system and target documents, pictures, databases and other files. Once it's done, ransomware delivers a ransom note where criminals explain encryption procedure and try to convince victims that the only way to restore files is to pay the ransom. As we already mentioned, the size of the ransom consists of 2 Bitcoins, and after 4 days it doubles.

Thus, victims are asked to hurry up and make a transaction in time. Once the payment is made, users have to send an email to heyklog@pronmail.com with their Bitcoin transaction ID and computer identifier that is given in the ransom note. The authors of MoWare H.F.D promise to answer and provide a unique decryption key. However, they may not keep the pledge. Paying the ransom may lead to data loss. Thus, you should leave your credit card in the wallet and do not buy any Bitcoins.

MoWare H.F.D ransom note also has a link saying “Click here to restore and recovery your files.” It opens a new window that provides the list of directories and encrypted files. However, the analysis of the virus shown, that files might still be accessible. Thus, before thinking about data recovery solution or rushing to pay the ransom (not recommended), you should make sure whether malware caused you real damage or not. 

Bear in mind that the most important task after ransomware attack is its elimination because this cyber infection makes the system vulnerable and accessible to other malware. Thus, do not hesitate and get rid of MoWare H.F.D ransomware virus as soon as possible.

The image of MoWare H.F.D ransomware virus

Other versions 

While the malware keeps active on the cyber space, new versions appear. A couple of months ago, what seemed to be a new version of the threat, CryptoGod. However, further investigation revealed that the threat is the wrongdoings of another cyber criminal. What is more, it appends a different file extension – .payforunlock unlike the original malware which added .H_F_D_locked. The name of the threat also refers to the Indonesian metal band. 

Speaking of the original threat, it was recently spotted again. The malware functions under MoWare H.F.D.exe file. Luckily, you can interrupt its further activity via the Task Manager.  However, it does not cease it from functioning completely.  Make a rush to eliminate the threat with a security tool. After that, you can look up several data decryption options. This malware is seen to target users globally. You might also notice it on the Chinese[2] cyber space.

Update September 20th, 2017. IT expert Lawrence Abrams spotted the new version called Blackhat ransomware. It appends the same .H_F_D_locked extension. The extension also sticks to using XOR cipher. 

The very source code of the malware does not seem much improved either. Its alternative trojan names: Gen:Heur.Ransom.HiddenTears.1Trojan.Ransom.BlackHat, and Trojan.MSIL.Agent.adhfu, illustrates such statement. The malware functions via blackbat.exe, though it may target a system in an alternative file. The virus also follows the manner of typical ransomware and demands money within specified amount of ransomware. 

In exchange to Blackhat Decrypter, victims should pay $200 in bitcoins. In case they face technical difficulties, the felons provide blackhatdarkmatrix@gmail.com. There is no information whether anyone has paid the ransom and retrieved the data.

Developers stick to the same transmission methods

One of the most popular methods to spread ransomware is malicious spam emails. Thus, there’s no surprise that MoWare might also arrive on the system with the help of obfuscated email attachment. Such letter might look like sent from a governmental institution, bank or well-known retailer.

Thus, you can be easily tricked into opening the attached Word or PDF document. If you click on infected document, a malicious MoWare H.F.D.exe file will be dropped and executed on the system. Once it’s done, ransomware starts its cyber attack.

However, it may also enter the system when users click on a malware-laden ad or download bogus software or its update. Thus, it’s crucial to be careful and always double-check the information before clicking on unknown content and downloading files or programs.[3]

Eliminate MoWare crypto-malware

MoWare H.F.D removal has to be completed using reputable malware removal program, such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. File-encrypting viruses are complicated cyber infections that have to be terminated from the device properly. Trying to locate and delete malicious files from the PC may lead to the system damage.

Thus, you should not risk and remove MoWare H.F.D automatically. Before installing your preferred security tool, you may need to reboot the device to the Safe Mode with Networking. It helps to disable the virus and eliminate it without any problems.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.