Cyber Security Center

Hhmgzyl ransomware removal


Hhmgzyl ransomware is file-encrypting malware from the Snatch ransomware family. It encrypts files, adds the .hhmgzyl file extension to them, and drops the HOW TO RESTORE YOUR FILES.TXT ransom note.

 

Hhmgzyl ransomware noteHhmgzyl ransomware is a dangerous piece of malware that will encrypt all important files as soon as it is initiated on a computer. Like most malware, it targets files like documents, photos, videos, etc. Encrypted files will have the .hhmgzyl file extension added to them, and the ransomware will drop a ransom note that demands victims contact the cyber crooks behind this ransomware via email. If victims were to contact them, they would be told that they need to pay a ransom to get a decryptor for encrypted files.

But engaging with ransomware operators and paying the ransom is very risky. Because these are cyber criminals victims are dealing with, there is no way of knowing whether a decryptor would be sent or if it would work. These crooks can easily take the money without sending a decryptor.

Unfortunately, the only free way users can recover files is backup. If users have backed up files prior to their computers becoming infected, they can start file recovery once they remove Hhmgzyl ransomware. If the malware still remains when backup is accessed, the files in backup could become encrypted as well.

Ransomware distribution methods

In many cases, users end up with ransomware on their computers because they have bad habits, which include opening spam email attachments, downloading torrents and software cracks, clicking on ads when on dangerous sites, not installing updates, etc.

Torrent sites and forums offering software cracks are often full of malware because they are not regulated properly. Malware distributors can easily upload all kinds of malware and disguise it as a popular movie, game, episode of TV series, etc. It’s no secret that it’s very easy to download malware via torrents, and it’s one of the reasons why users are discouraged from using them. Forums offering software cracks are the same.

Clicking on ads while on high-risk websites can be quite dangerous because those ads are not safe. High-risk sites usually include those hosting pornography and pirated content. Browsing those websites without adblocker and anti-virus software is not recommended.

But perhaps the most common way users pick up malware is by opening spam email attachments. Users’ email addresses are purchased from hacker forums, where they ended up on after a data breach. A spam email campaign is launched using those email addresses, and it distributes the malware. But fortunately, users can easily differentiate between legitimate and spam emails as long as they are attentive. First of all, spam emails will often be sent from nonsense email addresses, while senders will claim to be from known companies/organizations. If there is any text in the email, it will have loads of spelling and grammar mistakes. Some emails may be more sophisticated than others, which is why it’s so important to always scan unsolicited email attachments with anti-virus software or VirusTotal before opening them.

What does Hhmgzyl ransomware do?

As soon as the malware is initiated, it will start encrypting files. All photos, videos, documents, etc., will be encrypted and have .hhmgzyl file extension attached to them. For example, image.jpg would become image.jpg.hhmgzyl. Users will be unable to open these files, unless they first decrypt them using a special decryption tool. The cyber criminals behind this ransomware will try to sell the decryption tool to victims. This is explained in the HOW TO RESTORE YOUR FILES.TXT ransom note. The ransom note asks that victims contact the cyber criminals behind this ransomware via email to retrnyourfiles23@cock.li and retrnyoufiles@tutanota.com. The note also says that victims can recover three files for free.

Here is the full Hhmgzyl ransom note:

Hello! All your files are encrypted and only we can decrypt them.

Contact us:

retrnyourfiles23@cock.li or retrnyoufiles@tutanota.com

Write us if you want to return your files – we can do it very quickly!

The header of letter must contain extension of encrypted files.
We always reply within 24 hours. If not – check spam folder, resend your letter or try send letter from another email service (like protonmail.com or cock.li).

Attention!
Do not rename or edit encrypted files: you may have permanent data loss.

To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups).

HURRY UP!
If you do not email us in the next 48 hours then your data may be lost permanently.

The ransom sum is not mentioned in the ransom note but ransomware targeting individual users usually requests between $100 and $1000. Whatever the sum may be, there is a high chance that cyber criminals behind this ransomware would not send a decryptor once the payment has been made. There really is nothing stopping the operators of this malware from simply taking the money and providing nothing in return. This has happened many times in the past, and will likely happen many times in the future.

If users do not have backup, there unfortunately aren’t many options left. It is possible that malware researchers will release a free decryptor in the future but currently, one is not available. It is very important that users are careful about where they download decryptors from. Otherwise, they could end up downloading malware. NoMoreRansom and Emsisoft are good sources for decryptors. Victims can also upload the ransom note onto IDRansomware to get more information on the ransomware itself and potential decryptors. It should also be mentioned that some companies/people offer to decrypt files, and users should be very skeptical of this as there currently is no way of decrypting files without paying the ransom.

Currently, the only way to recover files is from backup. Ransomware is one of the reasons why regularly backing up important files is so crucial. If users do have backup, all they need to do is get rid of the ransomware before accessing backup.

How to delete Hhmgzyl ransomware

Users should not attempt to remove Hhmgzyl ransomware manually because it is a complex infection and unless users know exactly what they’re doing, they could end up doing more damage. Instead, users should use anti-malware software. Unfortunately, removing the malware does not mean files would be decrypted. Victims need a decryptor specifically for this ransomware to do that.

Once Hhmgzyl ransomware removal is complete, users can start file recovery via backup.

Hhmgzyl ransomware is detected as:

  • Win64:Trojan-gen by Avast/AVG
  • A Variant Of Win64/Filecoder.BL by ESET
  • HEUR:Trojan-Ransom.Win32.Gen.vho by Kaspersky
  • Ransom.Snatch by Malwarebytes
  • Ransom.Win64.KRYGO.SMTH by TrendMicro
  • Ransom:Win64/Snatch.A!MTB by Microsoft