*7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.


GREEDYFATHER is a malicious representative of the Ransomware family that can encrypt your data and keep it hostage for ransom. After restricting access to the target data, GREEDYFATHER threatens you by displaying a message with ransom requests.You will typically find out that you have been infected with GREEDYFATHER after you try to open some of your files and they return an error message. Or you may get notified about the infection before having the chance to open some of the encrypted files by simply being greeted with a ransom message on your screen. In that message, you will typically be given some payment instructions, a deadline and a promise from the hackers that once you pay, they will send you a decryption key.

The GREEDYFATHER ransomware virus text file
The GREEDYFATHER virus ransomware ransom note

In this post, we have come up with some information about the way GREEDYFATHER, Hhaz or Hhuy operates and some methods that you can use to potentially remove the infection. You will find all the concrete steps for the removal of this ransomware and the subsequent file recovery in the manual guide below; but it is a good idea to keep in mind that, in some cases, it may not be possible to fully recover from the Ransomware’s attack. Still, it is worth giving a try.


The GREEDYFATHER virus is a harmful piece of software that operates like ransomware. The GREEDYFATHER virus aims to secretly check your computer for specific file types, encrypt them and then make you pay for reversing the applied encryption.Getting yourself infected with GREEDYFATHER is not that hard. All you have to do is to carelessly click on unexpected e-mails or attachments, land on a malicious ad, or get rerouted to a website that has been compromised. Sometimes a Trojan horse can also deliver the ransomware in the system by exploiting an existing system vulnerability through which it can sneak it in. Downloading videos, movies, cracked programs and torrents is also among the most common ways to land Ransomware in your system, so try to stick to reputed web locations and install software only from known developers.

The GREEDYFATHER file encryption

The GREEDYFATHER file encryption is a method through which a group of cyber criminals has found a way to restrict access to user files. The GREEDYFATHER file encryption is used to encode certain digital information so that a ransom can be demanded for its liberation. Many web users frequently ask our “How to remove” team what they should do if their computer has been attacked by ransomware. Sadly, this question doesn’t have a correct answer. You’re going to have to choose between some very limited options one of which is to pay the required ransom. The second one is to try to remove the virus and recover from its attack on your own. Unfortunately, whether you choose to pay the ransom or not, your files will be at great risk because nothing can guarantee that your encrypted files will be successfully decrypted or that the virus will be safely removed from your device. Yet, we believe that you have to exhaust all of your options if you don’t want to support hackers and one of these options is our removal guide. Another option is to use the help of a good anti-Ransomware tool such as the one on this page.

Eventually, once you manage to remove GREEDYFATHER, check for any backup copies of your data and learn to create external backups of the information that you don’t want to lose in the future.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
SymptomsVery few and unnoticeable ones before the ransom notification comes up.
Distribution MethodFrom fake ads and fake system requests to spam emails and contagious web pages.
Detection Tool

Remove GREEDYFATHER Ransomware


Some of the steps will likely require you to exit the page. Bookmark it for later reference.

Reboot in Safe Mode (use this guide if you don’t know how to do it).



Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous. 


Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    After you open their folder, end the processes that are infected, then delete their folders. 

    Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.


    Hold the Start Key and R –  copy + paste the following and click OK:

    notepad %windir%/system32/Drivers/etc/hosts

    A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

    hosts_opt (1)

    If there are suspicious IPs below “Localhost” – write to us in the comments.

    Type msconfig in the search field and hit enter. A window will pop-up:


    Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

    • Please note that ransomware may even include a fake Manufacturer name to its process. Make sure you check out every process here is legitimate.

    Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

    Search for the ransomware in your registries and delete the entries. Be extremely careful –  you can damage your system if you delete entries not related to the ransomware.

    Type each of the following in the Windows Search Field:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Delete everything in Temp. The rest just check out for anything recently added. Remember to leave us a comment if you run into any trouble!


    How to Decrypt GREEDYFATHER files

    We have a comprehensive (and daily updated) guide on how to decrypt your files. Check it out here.

    If the guide doesn’t help, download the anti-virus program we recommended or try our free online virus scanner. Also, you can always ask us in the comments for help!


    About the author


    Lidia Howler

    Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1