Ransomware in generalĪs a rule, ransomware encrypts files, appends its extension to filenames, and creates a ransom note. For this reason, it should be removed from infected computers as soon as possible. For example, it can encrypt new files and infect computers connected to a local network. While active, ransomware can cause more damage. Unfortunately, files cannot be recovered without tools purchased from cybercriminals unless victims have data backup or a third-party decryption tool is available online.
Thus, it is strongly recommended not to pay a ransom. Ransomware victims often do not receive a decryption tool even after paying for it. The attackers will decrypt that file for free (it cannot contain valuable information). It provides two email addresses: and Also, the ransom note mentions that victims can send one encrypted file before purchasing decryption tools. Decryption tools can be purchased for $980 or $490, depending on whether victims will contact the attackers within or after 72 hours. It states that victims must purchase decryption software and a unique key to restore access to files. The ransom note is created to provide payment and contact information. Screenshot of files encrypted by Hhwq ransomware:
It also drops the " _readme.txt" file (a ransom note). hhwq" extension to filenames (for example, it renames " 1.jpg" to " 1.jpg.hhwq", " 2.png" to " 2.png.hhwq", and so forth). Our malware researchers discovered it during an analysis of samples submitted to the VirusTotal page. Hhwq is ransomware belonging to the Djvu family.