A new variant of ransomware virus has been discovered by experienced security professionals. It appends the .hofos file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malware or manually installing the ransomware. Here’s everything you need to know about this ransomware, how to remove .Hofos ransomware and how to restore (decrypt) encrypted photos, documents and music for free.
The .Hofos ransomware is a malicious software, which developed to encrypt the photos, documents and music found on infected PC using a strong encryption method, appending the .hofos extension to all encrypted documents, photos and music. It can encrypt almost types of files, including the following:
.tax, .xyp, .xlsm, .xlsx, .css, .big, .pkpass, .rofl, .wsh, .blob, .wps, .sb, .wpw, .slm, .p12, .mddata, .dcr, .z3d, .orf, .fos, .asset, .d3dbsp, .wav, .wpe, .erf, .dazip, .sum, .bkf, .indd, .epk, .x3d, .xwp, .bik, .wpg, .wpb, .bay, .mef, .svg, .pem, .ibank, .lbf, .wma, .psd, .x, .arch00, .wbmp, .ptx, .3fr, .icxs, .m3u, .wotreplay, .accdb, .flv, .gho, .kdc, .zip, .1, .pdf, .wmo, .re4, .bc7, .map, .2bp, .odt, .ybk, .wp7, .zip, .mpqge, .zdb, .x3f, .odm, .hplg, .rgss3a, .cr2, .wdp, .xls, .pptx, .sid, .odc, .xld, .qdf, .zdc, .iwd, .raf, .dng, .odp, .z, .xls, .bc6, .vdf, .xlsx, .hkx, .pef, .xx, .zif, .das, .ods, .7z, .menu, .wpd, .ntl, .doc, .y, .wbc, .wpa, .jpe, .r3d, .jpg, .docx, .cdr, .crt, .webp, .itm, .yml, .mlx, .litemod, .der, .wbk, .xlgc, .txt, .xf, .crw, .cer, .pak, .wdb, .bar, .xdb, .xpm, .p7c, .xxx, .iwi, .syncdb, .xll, .itdb, .vpp_pc, .wsd, .pptm, .wp5, .kdb, .rb, .raw, .dbf, .sie, .vtf, .wmd, .wmf, .wma, .csv, .odb, .xmmap, .mdb, .xlsb, .zi, .wcf, .wmv, .xy3, .dwg, .dxg, .qic, .pdd, .webdoc, .wp, .srw, .rw2, .fpk, .sql, .1st, .wpt, .itl, .rim, .arw, .bkp, .w3x, .hvpl, .wsc, .wp6, .m2, .xbplate, .snx, .mdf, .wire, .ztmp, .rar, .mp4, .tor, .wn, .wot, .gdb, .xlk, .mrwref, .xyw, .bsa, .avi, .cfr, .hkdb, .yal, .ai, .wb2, .desc, .zw, .t13, .pst, .vfs0, .mov, .wri, .sidn, .kf, .lvl, .sr2, .lrf, .psk, .dmp, .mdbackup, .png, .docm, .ysp, .layout, .sav, .m4a, .xml, .sis, .ppt, .upk, .xlsm, .wpd, .t12, .forge, .wbz, .dba, .xbdoc, .3dm, .wbd, .xdl, .js, .p7b, .sidd, .vcf, .wpl, .xmind, .wbm, .py, .srf, .ltx, .0, .3ds, .zabw, .esm, .jpeg, .rtf, .wps, .ncf, .xar, .wm, .fsh, .eps, .mcmeta, .apk, .wgz, .db0, wallet, .wmv, .ff, .vpk, .wp4, .pfx, .cas, .nrw, .ws
When encrypting a file it will add the .hofos extension to every encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc
would be encrypted and renamed to sample.doc.hofos
.
When the encryption process is done, the malware leaves a ransomnote called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all files. You can see an one of the variants of the ransom demanding message below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WNIGhROCrH Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | .Hofos ransomware |
Type | Ransomware, Filecoder, Crypto virus, File locker |
Contact Email | vengisto@firemail.cc, gorentos@bitmessage.ch |
Ransom note | _readme.txt |
Symptoms |
|
Removal | To remove .Hofos ransomware use the removal guide |
Decryption | To decrypt .Hofos ransomware use the steps |
In the guidance below, I have outlined few methods that you can use to remove .Hofos ransomware virus from your computer and restore (decrypt) .hofos files using free tools.
Quick links
- How to remove .Hofos ransomware
- How to decrypt .hofos files
- Use STOPDecrypter to decrypt .hofos files
- How to restore .hofos files
- How to protect your system from .Hofos ransomware?
- To sum up
How to remove .Hofos ransomware
There are not many good free antimalware programs with high detection ratio. The effectiveness of malicious software removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malicious software. We recommend to run several applications, not just one. These programs which listed below will help you remove all components of the .Hofos ransomware from your disk and Windows registry.
Remove .Hofos ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such .Hofos ransomware, adware and other malicious software which most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any .Hofos ransomware removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Now you can install and use Zemana to remove .Hofos ransomware virus from your web-browser by following the steps below:
Please go to the link below to download Zemana Free setup file named Zemana.AntiMalware.Setup on your computer. Save it on your Desktop.
164107 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Run the installer after it has been downloaded successfully and then follow the prompts to install this utility on your computer.
During install you can change certain settings, but we suggest you don’t make any changes to default settings.
When installation is complete, this malicious software removal tool will automatically launch and update itself. You will see its main window as shown in the following example.
Now click the “Scan” button . Zemana Anti-Malware program will scan through the whole computer for the .Hofos ransomware and other security threats. While the Zemana Anti-Malware is scanning, you can see how many objects it has identified either as being malicious software.
After the checking is finished, Zemana will produce a list of undesired programs adware. When you are ready, press “Next” button.
The Zemana Anti-Malware (ZAM) will remove .Hofos ransomware virus and other security threats. When finished, you can be prompted to reboot your computer to make the change take effect.
Remove Hofos ransomware virus with MalwareBytes Free
Manual Hofos ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus can be not fully removed. We suggest that run the MalwareBytes Anti Malware (MBAM) that are fully free your personal computer of ransomware. Moreover, this free program will help you to remove malware, trojans, adware software and worms that your computer can be infected too.
Click the link below to download the latest version of MalwareBytes for Windows. Save it directly to your Microsoft Windows Desktop.
326460 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is done, run it and follow the prompts. Once installed, the MalwareBytes Anti-Malware will try to update itself and when this procedure is complete, click the “Scan Now” button . MalwareBytes Anti Malware tool will begin scanning the whole PC system to find out the Hofos ransomware and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your personal computer and the speed of your computer. When a threat is found, the count of the security threats will change accordingly. In order to delete all threats, simply click “Quarantine Selected” button.
The MalwareBytes is a free program that you can use to delete all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we recommend you to read and follow the steps or the video guide below.
Delete .Hofos ransomware virus with KVRT
KVRT is a free removal utility that can be downloaded and use to delete ransomware virus, adware software, malware, trojans, worms and other threats from your PC system. You can run this tool to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your machine from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool tool will begin scanning the whole system to find out .Hofos ransomware and other malicious software. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. When a threat is detected, the count of the security threats will change accordingly.
After the checking is complete, KVRT will produce a list of undesired programs adware software as displayed below.
Next, you need to click on Continue to start a cleaning procedure.
How to decrypt .hofos files
The .Hofos ransomware virus offers to make a payment in Bitcoins to get a key to decrypt files.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .hofos documents, photos and music quickly. There is no guarantee that the authors of .Hofos ransomware will live up to the word and give back your personal files.
With some variants of Hofos ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .hofos files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.hofos).
Please check the twitter post for more info.
How to restore .hofos files
In some cases, you can recover files encrypted by .Hofos ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Run ShadowExplorer to restore .hofos files
In some cases, you have a chance to restore your personal files which were encrypted by the .Hofos ransomware. This is possible due to the use of the tool called ShadowExplorer. It is a free program that designed to obtain ‘shadow copies’ of files.
Download ShadowExplorer by clicking on the following link.
438809 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, extract the saved file to a directory on your computer. This will create the necessary files as shown on the image below.
Start the ShadowExplorerPortable program. Now select the date (2) that you want to restore from and the drive (1) you want to recover files (folders) from as shown in the following example.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as shown in the following example.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .hofos files with PhotoRec
Before a file is encrypted, the .Hofos ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover apps such as PhotoRec.
Download PhotoRec by clicking on the link below.
After downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as on the image below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, press Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your system from .Hofos ransomware?
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC system from .Hofos ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from MS Windows XP to Windows 10.
Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro.Alert by clicking on the link below.
After downloading is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is launched, you will be displayed a window where you can choose a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
To sum up
Now your personal computer should be clean of the .Hofos ransomware. Uninstall MalwareBytes Anti-Malware (MBAM) and KVRT. We suggest that you keep Zemana (to periodically scan your machine for new malware). Make sure that you have all the Critical Updates recommended for Windows OS. Without regular updates you WILL NOT be protected when new ransomware, harmful applications and adware are released.
If you are still having problems while trying to remove .Hofos ransomware virus from your PC, then ask for help here.