Vehu는 어떤 악성코드인가??
Vehu is a ransomware variant from the Djvu family that we discovered during an analysis of samples submitted to VirusTotal. Ransomware is a type of malware that encrypts files and demands payment for their decryption. In addition to encrypting files, Vehu appends its extension (“.vehu”) to filenames and provides a ransom note (“_README.txt“).
An example of how files encrypted by Vehu are renamed: “1.jpg” is changed to “1.jpg.vehu“, “2.png” to “2.png.vehu“, and so on. Since Vehu is part of the Djvu family, it may be distributed alongside information stealers like Vidar and RedLine.
Screenshot of files encrypted by Vehu ransomware:
감염된 PC: VEHU 파일
Vehu ransom note overview
Vehu’s ransom note informs victims that their files are encrypted and that the only way to recover them is to purchase a decryption tool and a unique key. It also says that the attackers offer to decrypt one file (not containing valuable information) for free. The note provides two contact emails: support@freshingmail.top and datarestorehelpyou@airmail.cc.
It provides the price of decryption $999 and says it can be reduced to $499 if victims contact threat actors within 72 시간. Lastly, it ensures victims that data cannot be restored without payment.
Ransom Note: _readme.txt
| 이름 | Vehu Virus |
| Family 1 | STOP/Djvu Ransomware |
| Extension | .vehu |
| Ransomware note | _readme.txt |
| Ransom | From $499 to $999 (in Bitcoins) |
| Contact | support@freshingmail.top, datarestorehelpyou@airmail.cc |
| Symptoms |
|
| Recovery | Start recovery with a comprehensive antivirus scan. Although not all files may be recoverable, our guide outlines several potential methods to regain access to encrypted files. |
Djvu ransomware initiates its activities by utilizing multi-stage shellcodes, leading to file encryption. 또한, the malware integrates loops to extend its execution duration, making it harder for security systems to identify the malware.
Also, Djvu ransomware employs dynamic API resolution to access vital tools covertly. Later, it utilizes process hollowing, creating a replica of itself masked as another process to conceal its true intent.
How Vehu ransomware infect my PC?
Cybercriminals distribute ransomware in various ways. Djvu ransomware is commonly delivered via pirated software (or cracking tools and key generators) and shady pages posing as platforms for downloading videos from YouTube. Emails containing malicious attachments and links are also used as malware distribution channels.
또한, computer infections can occur through software vulnerabilities, malicious advertisements, compromised websites, drive-by downloads, compromised USB drives, P2P networks, unofficial pages, and similar channels. Overall, most cybercriminals aim to lure users into performing actions resulting in computer infections.
How To Remove?
Remove Vehu Virus with Gridinsoft Anti-Malware
우리는 또한이 소프트웨어 에서이 소프트웨어를 우리 시스템에서 사용하고 있습니다., 그리고 그것은 항상 바이러스를 감지하는 데 성공했습니다. It has blocked the most common Ransomware as 우리의 테스트에서 보여 주었다 소프트웨어와 함께, and we assure you that it can remove Vehu Virus as well as other malware hiding on your computer.
악의적 인 위협을 제거하기 위해 Gridinsoft를 사용합니다, 아래 단계를 따르십시오:
1. Gridinsoft anti-malware를 다운로드하여 시작하십시오, 아래 또는 공식 웹 사이트에서 직접 파란색 버튼을 통해 액세스 할 수 있습니다. gridinsoft.com.
2.GridInsoft 설정 파일이되면 (Setup-gridinsoft-fix.exe) 다운로드됩니다, 파일을 클릭하여 실행하십시오. Follow the installation setup wizard's instructions diligently.
3. 액세스 "스캔 탭" on the application's start screen and launch a comprehensive "전체 스캔" 전체 컴퓨터를 검사합니다. 이 포괄적 인 스캔은 메모리를 포함합니다, 스타트 업 항목, 레지스트리, 서비스, 드라이버, 그리고 모든 파일, 가능한 모든 위치에 숨겨진 맬웨어를 감지하는지 확인.
인내하십시오, as the scan duration depends on the number of files and your computer's hardware capabilities. 이 시간을 사용하여 휴식을 취하거나 다른 작업에 참석하십시오..
4. 완료되면, 방지 방지는 PC에 감지 된 모든 악성 품목 및 위협이 포함 된 자세한 보고서를 제시합니다..
5. 보고서에서 식별 된 모든 항목을 선택하고 자신있게 "지금 청소" 단추. 이 작업은 컴퓨터에서 악의적 인 파일을 안전하게 제거합니다., 더 이상의 유해한 행동을 방지하기 위해 말장 방지 프로그램의 안전한 검역 구역으로 전송.
6. 프롬프트가있는 경우, 전체 시스템 스캔 절차를 마무리하려면 컴퓨터를 다시 시작하십시오.. 이 단계는 남은 위협을 철저히 제거하는 데 중요합니다.. 재시작 후, Gridinsoft anti-malware가 열리고 메시지를 표시합니다. 스캔 완료.
Gridinsoft는 6 일 무료 평가판을 제공합니다. 즉, 소프트웨어의 모든 이점을 경험하고 시스템의 향후 악성 코드 감염을 예방하기 위해 무료로 시험 기간을 이용할 수 있습니다.. Embrace this opportunity to fortify your computer's security without any financial commitment.
Video Guide
How To Decrypt .vehu Files?
First, try deleting the “.vehu” extension from a few big files and then opening them. This malware struggles with the encryption of large files. The virus either failed to lock the file upon access or encountered a bug and omitted to add the file marker. If your files exceed 2GB in size, the latter scenario is more probable.
Criminals released the newest extensions around the end of August 2019 after making several changes.
The changes by the criminals rendered STOPDecrypter unsupported, leading to its replacement with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft.
- Download and Run the Decryption Tool: Download decryption tool. Ensure you run the decryption utility as an administrator and agree to the license terms that appear by clicking the “Yes” 단추. Upon accepting the license terms.
- Select Folders for Decryption: The decryptor, by default, automatically selects directories on connected and network drives for decryption. Use the “Add” button to select additional locations. Depending on the malware family, decryptors offer various options, which you can toggle on or off in the Options tab. Below, you will find a detailed list of the currently active options.
- Initiate Decryption by Clicking on the “Decrypt” Button. After adding all desired locations to the list, click the “Decrypt” button to start the decryption process. The decryptor will inform you upon completing the decryption process. If needed for documentation, you can save the report by clicking the “Save log” 단추. It’s also possible to copy the report to your clipboard for pasting into emails or messages.
How to Restore .vehu Files?
In some cases, ransomware fails to encrypt your files…
The Vehu ransomware encryption process involves encrypting each file byte-by-byte, creating a duplicate, and then deleting (not overwriting) the original file. This deletion means the physical disk no longer lists the file in its system, although the original file remains on the drive. The sector that held the file might still contain it, but since the system does not list it, new data can overwrite it. However, special software can recover your files.
Realizing it was an online algorithm, I knew recovering my encrypted files was impossible. My backup drive, connected during the infection, seemed infected as well. Every folder on my backup drive appeared encrypted. Despite this, I managed to recover nearly 80% of my 2TB storage.
Examining the folders, I found ransom notes in each. Opening some revealed that only files not in subfolders were encrypted. Delving into subfolders in other folders, I discovered unencrypted files. Unlike my C and D drives where every folder, including subfolders, was encrypted, my backup drive’s subfolders saved 80% of my data.
I consider finding this loophole on my backup drive fortunate. 또한, I recovered another 10% of my data from a hard drive on a different PC. Thus, my advice for using a backup drive is to create subfolders. It was partly luck, but also misfortune that the virus struck during file transfers from my backup.
I hope this experience can assist others in similar predicaments.
Jamie Newland
Recover Vehu Files with PhotoRec
PhotoRec, designed for file recovery from damaged disks or accidental deletion, now supports restoring 400 file types, making it useful after a Vehu attack.
First, download PhotoRec. It’s free, but the developer offers no guarantee for file restoration. PhotoRec comes packaged with TestDisk, another tool from the same developer, under the TestDisk name. However, PhotoRec is included within the archive.
To start PhotoRec, open the “qphotorec_win.exe” file. No installation is necessary as the program contains all required files, allowing it to run from a USB drive.
의견을 남겨주세요