*Bhui is a variant of Stop/DJVU. Source of claim SH can remove it.
Bhui
Bhui is a file-locking virus of the Ransomware type and its job is to force users to carry out a ransom payment. Bhui seals the files of its victims through the application of advanced encryption and won’t release the data until the payment is made.
A new Ransomware-based infection has been on the loose and our “How to remove” team has come up with a removal guide that focuses on it. The name of the new threat is Bhui and, as per the information available, it operates as a cryptovirus that secretly encrypts the files stored on the infected computer by placing a complex code on them. The infection then generates a ransom-demanding notification on the victim’s screen, asking for the payment of a ransom in exchange for a decryption key.
If you are reading this article because Bhui has taken hostage of your files and you don’t know what to do or you are seeking a way to avoid the ransom payment and remove the Ransomware, you’ve come to the right place. Below, you will find instructions on that, as well as a trusted Bhui removal tool and some free file-recovery suggestions, which don’t involve paying a ransom to anyone. Before you move on to them, however, it is important to gain a good understanding of the situation you are in, and of the possible alternative solutions.
The Bhui virus
The Bhui virus is the latest malware threat of the Ransomware category and its advanced encryption can make all files on your computer totally inaccessible. Even if removed, the Bhui virus will still continue to keep your data inaccessible because the encryption would still be there.
The first thing you should definitely do is check for safe copies of the files that have gotten locked stored on external devices or on clouds – if you find any you could copy them back on your machine once you clean it from the malware. In the dreaded case of not having backup copies, the chances of recovering the locked, sadly, data decrease significantly since the key to revert the encryption will be necessary and that key is kept by the hackers.
In some versions of Ransomware (less-advanced ones), the encryption key could come in the malware code itself so the affected files could be recovered with some ease. However, this is not the case with Bhui, Ahui or Ahgr Still, there are initiatives where different security companies and government agencies work together to come up with specialized tools that can help decipher the code of some Ransomware infections. Here, on “How to remove” guide, for instance, we have a frequently-updated list of free decryptor tools that you can check out. The guide we have here also contains some steps that may help you extract some files from the system wherever possible. Keep in mind though, that the attack of Bhui may have a very individual effect on each and every machine and, therefore, the effectiveness of the steps may vary.
The .Bhui file decryption
The .Bhui file decryption is the reversal of the encryption process that is keeping your files unavailable. The .Bhui file decryption is usually only achievable if the correct decryption key is applied to the locked-up files.
Of course, there is always the possibility to make the payment of the ransom to the attackers. However, this is not an advisable course of action because nobody guarantees that once the payment is made, the decryption key will be sent to the victim. There is a significant chance of losing both the data and the money. Therefore, we encourage our readers to focus on cleaning their computers from malware first and then exploring some alternative file-recovery solutions.
It is also very important to understand the importance of a good Ransomware protection plan which involves regular backups (and checking that they are being done correctly and can be used without problems) among other measures. Also, a reliable system-protection tool may help against some Ransomware cryptoviruses as well as against many other threats from the Internet so it is always a good thing to have such software in your computer.
SUMMARY:
*Bhui is a variant of Stop/DJVU. Source of claim SH can remove it.
Remove Bhui Ransomware
Before you begin, it is advisable that you save this page by clicking on the bookmark button that can be found in the URL bar of your browser. This will allow you to quickly access it and complete all the steps without losing the instructions.
We also recommend that you continue with the remaining Bhui removal steps on this page after restarting your computer in Safe Mode.
WARNING! READ CAREFULLY BEFORE PROCEEDING!
*Bhui is a variant of Stop/DJVU. Source of claim SH can remove it.
Ransomware threats like Bhui typically run their malicious processes in the background of a computer’s system without showing visible symptoms. This allows them to remain unnoticed and cause significant harm. That’s why, when dealing with this type of malware, one of the most difficult jobs is being able to discover and terminate any potentially hazardous processes associated with the ransomware that are already running on your computer. In order to accomplish this, you must carefully follow the following steps.
Open the Windows Task Manager by pressing the CTRL+SHIFT+ESC keys together, and then select the Processes Tab from the top-level tabs. If you see any processes that take a substantial amount of resources, have an unusual name, or otherwise appear suspicious, make a note of them and right-click on each of them to open the quick menu. Then click on “Open File Location” to see the files associated with that process.
Next, check the process’s files for possibly hazardous code by running them via the free online virus scanner provided below:
If any of the files that you scan turn out to be harmful, then the process that is associated with them should be terminated as soon as possible, and the files themselves should be deleted from your computer.
Do the same for each process that contains potentially dangerous files until the system has been completely cleaned of all malicious processes.
If the ransomware has added potentially dangerous startup items to the system, these items must be disabled as well, in the same way as the Bhui-related processes in Task Manager have been stopped.
To do so, start by typing msconfig in the Windows search bar and then selecting System Configuration from the list of search results. Then, check out the entries under the Startup tab and look for something unusual:
It is recommended that you investigate any startup item that has an “Unknown” Manufacturer or a random name, and uncheck its checkmark if you find sufficient evidence that it is related with the ransomware. Also, look for any other startup items on your computer that you are unable to identify with the programs that you regularly start on your computer. Only startup items linked with programs that you trust or that are tied to your system should be allowed to continue to run on your system.
*Bhui is a variant of Stop/DJVU. Source of claim SH can remove it.
Searching the system’s registry is essential in order to detect whether or not the ransomware has added any dangerous entries in there. To do so, type Regedit in the Windows search field and hit Enter to launch the Registry Editor. Next, you can press the CTRL and F keys simultaneously on your computer and carefully type the name of the ransomware into the Find box to search for the threat more quickly. After that, click on Find Next and if there are any results, carefully eliminate the entries that include the name of the ransomware.
Attention! Avoid removing anything from your registry that you aren’t certain you want to get rid of because any wrong deletions may cause more harm than good to your system. If you want to avoid causing inadvertent harm, please use professional removal solutions to thoroughly eliminate Bhui and other ransomware-related files from your registry.
After that, manually scan each of the locations listed below for suspicious files and folders that belong to Bhui or appear to be related with the threat, and delete anything that is dangerous. You may use the Windows Search bar to copy/paste the following locations one at a time and click Enter to open them:
- %AppData%
- %LocalAppData%
- %ProgramData%
- %WinDir%
- %Temp%
Everything that appears to be a threat should be removed from these locations as quickly as possible. If you want to get rid of any temporary files that may have been saved on your system, select and delete everything in the Temp folder from your computer.
Following that, you should check your computer’s Hosts file for any modifications that may have been imposed without your awareness. If you find any, please leave us a comment below, and we will do our best to reply to you shortly.
To begin, press the Windows and R keys together to open the Run box, where you can copy/paste the following command, and press the Enter key to execute it:
notepad %windir%/system32/Drivers/etc/hosts
Please let us know if the Hosts file has been modified to include certain suspicious-looking IP addresses under the Localhost section, as seen in the following image:
If everything looks fine to you, just close the file without making any changes.
How to Decrypt Bhui files
To effectively decode the encrypted data, you may need to use a different approach, depending on the ransomware version that has infected your machine. In order to determine which Ransomware version you are dealing with, you must look at the file extensions that the virus has added to the files that have been encrypted.
New Djvu Ransomware
The most recent variant of the Djvu Ransomware family to infect computers is called STOP Djvu Ransomware. This new threat makes it easy for the victims to recognize when they have been infected with it, since it attaches the .Bhui file extension, which is automatically added to the files encrypted by the malware At this time, only files that have been encrypted using an offline key are being decryptable, and if you click on the following link, you will be able to access a decryption tool that may be of use to you:
https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Decryption
The decryption application may be launched by downloading the file from the URL above on the computer, selecting “Run as Administrator”, and then pressing the Yes button. Before proceeding, please read the license agreement, as well as the brief instructions that appear on the screen.
Selecting Decrypt from inside the program will begin the process of decrypting the data that has been encrypted. Please bear in mind that data encrypted using unknown offline keys or online encryption may not be decrypted by this tool. If you have any questions or concerns, please share them with us in the comments below, and we will do our best to assist you.
Important! Please be sure that any ransomware-related files and potentially dangerous registry entries have been removed from your infected computer before attempting to decrypt any data that may have been saved on it in the first place. A free online virus scanner and anti-virus software, such as those accessible on our page, will assist you in getting rid of Bhui and other dangerous pieces of malware that are spreading throughout the internet.
Leave a Comment