Secuestro de datos

Virus VEHU (.archivo vehu) Secuestro de datos

¿Qué tipo de malware es Vehu??

Vehu is a ransomware variant from the Djvu family that we discovered during an analysis of samples submitted to VirusTotal. Ransomware is a type of malware that encrypts files and demands payment for their decryption. In addition to encrypting files, Vehu appends its extension (“.vehu”) to filenames and provides a ransom note (“_README.txt“).

An example of how files encrypted by Vehu are renamed: “1.jpgis changed to1.jpg.vehu“, “2.png” a “2.png.vehu“, and so on. Since Vehu is part of the Djvu family, it may be distributed alongside information stealers like Vidar and RedLine.

Screenshot of files encrypted by Vehu ransomware:

PC infectada: Archivos VEHU

PC infectada: Archivos VEHU

Vehu ransom note overview

Vehu’s ransom note informs victims that their files are encrypted and that the only way to recover them is to purchase a decryption tool and a unique key. It also says that the attackers offer to decrypt one file (not containing valuable information) for free. The note provides two contact emails: support@freshingmail.top and datarestorehelpyou@airmail.cc.

It provides the price of decryption $999 and says it can be reduced to $499 if victims contact threat actors within 72 horas. Lastly, it ensures victims that data cannot be restored without payment.

Ransom Note: _readme.txt

Ransom Note: _readme.txt

NombreVehu Virus
Familia 1STOP/Djvu Ransomware
Extension.vehu
Ransomware note_readme.txt
RansomFrom $499 a $999 (in Bitcoins)
Contactsupport@freshingmail.top, datarestorehelpyou@airmail.cc
Symptoms
  • Encrypts most of your files (photos, videos, documents) and adds a particular “.vehuextension;
  • Deletes Volume Shadow copies to make attempts to restore data impossible for the victim;
  • Adds a list of domains to the HOSTS file to block access to certain security-related sites;
  • Installs a password-stealing Trojan on the system, like Vidar Stealer or RedLine Stealer;
  • Manages to install a SmokeLoader backdoor;
RecoveryStart recovery with a comprehensive antivirus scan. Although not all files may be recoverable, our guide outlines several potential methods to regain access to encrypted files.

Djvu ransomware initiates its activities by utilizing multi-stage shellcodes, leading to file encryption. Además, the malware integrates loops to extend its execution duration, making it harder for security systems to identify the malware.

Also, Djvu ransomware employs dynamic API resolution to access vital tools covertly. Later, it utilizes process hollowing, creating a replica of itself masked as another process to conceal its true intent.

How Vehu ransomware infect my PC?

Cybercriminals distribute ransomware in various ways. Djvu ransomware is commonly delivered via pirated software (or cracking tools and key generators) and shady pages posing as platforms for downloading videos from YouTube. Emails containing malicious attachments and links are also used as malware distribution channels.

Además, computer infections can occur through software vulnerabilities, malicious advertisements, compromised websites, drive-by downloads, compromised USB drives, P2P networks, unofficial pages, and similar channels. Overall, most cybercriminals aim to lure users into performing actions resulting in computer infections.

How To Remove?

Remove Vehu Virus with Gridinsoft Anti-Malware

También hemos estado utilizando este software en nuestros sistemas desde entonces., y siempre ha tenido éxito en la detección de virus.. It has blocked the most common Ransomware as mostrado en nuestras pruebas con el software, and we assure you that it can remove Vehu Virus as well as other malware hiding on your computer.

Antimalware Gridinsoft - Pantalla principal

Para utilizar Gridinsoft para eliminar amenazas maliciosas, sigue los pasos a continuación:

1. Comience descargando Gridinsoft Anti-Malware, accesible a través del botón azul a continuación o directamente desde el sitio web oficial gridinsoft.com.

2.Una vez que el archivo de instalación de Gridinsoft (setup-gridinsoft-fix.exe) se descarga, ejecutarlo haciendo clic en el archivo. Follow the installation setup wizard's instructions diligently.

Asistente de configuración de Gridinsoft

3. Acceder al "Pestaña Escanear" on the application's start screen and launch a comprehensive "Análisis completo" para examinar toda su computadora. Este escaneo inclusivo abarca la memoria., elementos de inicio, el registro, servicios, conductores, y todos los archivos, asegurando que detecta malware oculto en todas las ubicaciones posibles.

Scan for Vehu Virus Ransomware

Ser paciente, as the scan duration depends on the number of files and your computer's hardware capabilities. Utilice este tiempo para relajarse o atender otras tareas..

4. Al finalizar, Anti-Malware presentará un informe detallado que contiene todos los elementos maliciosos y amenazas detectados en su PC.

The Vehu Virus was Found

5. Seleccione todos los elementos identificados del informe y haga clic con confianza en el "Limpio ahora" botón. Esta acción eliminará de forma segura los archivos maliciosos de su computadora., transfiriéndolos a la zona de cuarentena segura del programa antimalware para evitar futuras acciones dañinas.

The Vehu Virus has been removed

6. Si se le solicita, reinicie su computadora para finalizar el procedimiento de escaneo completo del sistema. Este paso es crucial para garantizar la eliminación completa de cualquier amenaza restante.. Después del reinicio, Gridinsoft Anti-Malware se abrirá y mostrará un mensaje confirmando la finalización del escaneo.

Recuerde Gridinsoft ofrece una prueba gratuita de 6 días. Esto significa que puede aprovechar el período de prueba sin costo alguno para experimentar todos los beneficios del software y prevenir futuras infecciones de malware en su sistema.. Embrace this opportunity to fortify your computer's security without any financial commitment.

Video Guide

How To Decrypt .vehu Files?

First, try deleting the “.vehuextension from a few big files and then opening them. This malware struggles with the encryption of large files. The virus either failed to lock the file upon access or encountered a bug and omitted to add the file marker. If your files exceed 2GB in size, the latter scenario is more probable.

Criminals released the newest extensions around the end of August 2019 after making several changes.

The changes by the criminals rendered STOPDecrypter unsupported, leading to its replacement with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft.

  1. Download and Run the Decryption Tool: Download decryption tool. Ensure you run the decryption utility as an administrator and agree to the license terms that appear by clicking the” botón. Upon accepting the license terms.
  2. Select Folders for Decryption: The decryptor, by default, automatically selects directories on connected and network drives for decryption. Use theAddbutton to select additional locations. Depending on the malware family, decryptors offer various options, which you can toggle on or off in the Options tab. Abajo, you will find a detailed list of the currently active options.
  3. Initiate Decryption by Clicking on theDecryptButton. After adding all desired locations to the list, click theDecryptbutton to start the decryption process. The decryptor will inform you upon completing the decryption process. If needed for documentation, you can save the report by clicking theSave log” botón. It’s also possible to copy the report to your clipboard for pasting into emails or messages.

How to Restore .vehu Files?

In some cases, ransomware fails to encrypt your files

The Vehu ransomware encryption process involves encrypting each file byte-by-byte, creating a duplicate, and then deleting (not overwriting) the original file. This deletion means the physical disk no longer lists the file in its system, although the original file remains on the drive. The sector that held the file might still contain it, but since the system does not list it, new data can overwrite it. Sin embargo, special software can recover your files.

Solution 1Solution 2
This virus managed to bypass two antivirus programs and two malware fighters and infect my PC.

Realizing it was an online algorithm, I knew recovering my encrypted files was impossible. My backup drive, connected during the infection, seemed infected as well. Every folder on my backup drive appeared encrypted. Despite this, I managed to recover nearly 80% of my 2TB storage.

Examining the folders, I found ransom notes in each. Opening some revealed that only files not in subfolders were encrypted. Delving into subfolders in other folders, I discovered unencrypted files. Unlike my C and D drives where every folder, including subfolders, was encrypted, my backup drive’s subfolders saved 80% of my data.

I consider finding this loophole on my backup drive fortunate. Además, I recovered another 10% of my data from a hard drive on a different PC. Thus, my advice for using a backup drive is to create subfolders. It was partly luck, but also misfortune that the virus struck during file transfers from my backup.

I hope this experience can assist others in similar predicaments.

Jamie Newland
Here are some tips for Vehu file recovery and repair (applicable to all STOP/DJVU variants):

  • Check deeper nested folders since some Stop/Djvu variants fail to encrypt them, leaving them unencrypted.
  • Since this ransomware saves encrypted data to a new file and deletes the original, there’s a chance to recover parts of the deleted file using file recovery software. Although restoring the folder structure is unlikely, a tool like PhotoRec might work well.
  • The ransomware partially encrypts files (about the first 150 KB), making it possible to recover the non-encrypted portion depending on the file size and type.
  • Joep
    Brendan Smith
    Brendan Smith
    Experto en seguridad informática
    Try to use the GridinSoft Anti-Malware
    Do not forget to share your experience in solving the problem. Please leave a comment here! This can help other victims to understand they are not alone. And together we will find ways to deal with this issue.
    Antimalware
    Prueba de 6 días de Gridinsoft Anti-Malware disponible.
    CLUF | política de privacidad | 10% Cupón de descuento

    Recover Vehu Files with PhotoRec

    PhotoRec, designed for file recovery from damaged disks or accidental deletion, now supports restoring 400 file types, making it useful after a Vehu attack.

    First, download PhotoRec. It’s free, but the developer offers no guarantee for file restoration. PhotoRec comes packaged with TestDisk, another tool from the same developer, under the TestDisk name. Sin embargo, PhotoRec is included within the archive.

    To start PhotoRec, open the qphotorec_win.exe file. No installation is necessary as the program contains all required files, allowing it to run from a USB drive.

    1. My files are encrypted by ransomware, what should I do now?

    Sobre el Autor

    Brendan Smith

    I'm Brendan Smith, un periodista apasionado, investigador, y desarrollador de contenidos web. Con un gran interés en la tecnología informática y la seguridad., Me especializo en ofrecer contenido de alta calidad que eduque y capacite a los lectores para navegar en el panorama digital..

    Enfocados en tecnología informática y seguridad., Estoy comprometido a compartir mis conocimientos y perspectivas para ayudar a personas y organizaciones a protegerse en la era digital.. Mi experiencia en principios de ciberseguridad, privacidad de datos, y las mejores prácticas me permiten brindar sugerencias y consejos prácticos que los lectores pueden implementar para mejorar su seguridad en línea..

    Deja un comentario