How To Remove .HakunaMatata Virus And Retrieve Files

HakunaMatata is a new ransomware currently on the rise. It is distributed through spam emails, fake and illegal downloads and other means. Once your computer is infected the ransomware will start encrypting your documents, media and other files and changes their extensions to .HakunaMatata while the original ones are deleted. The virus creators then ask you to pay a ransom in order to get your files back. However, paying the ransom does not guarantee that you will get the decryption key as well as it leaves potential security holes for future attacks from the same cyber criminals.

The only way to protect yourself from HakunaMatata ransomware is to completely remove it, secure your computer and restore the lost files. We have prepared two types of removal instructions. We recommend the automatic one as it not only removes the threat but also secures your computer. A manual method is available as well.


Recommended Method: Download HakunaMatata Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is HakunaMatata virus?

HakunaMatata virus is distributed using the same means as for most other ransomware. You can get infected through spam emails, illegal and fake downloads, exploit kits and other similar ways. It usually comes in randomly named .exe or .tmp files. If infected, it immediately starts taking your files to hostage by encrypting them using AES256-bit and RSA-2048 algorithms. The files then get .HakunaMatata extension and become inaccessible while the original ones are deleted.

Some researchers state that this new virus uses unique approach while others suspect that this is a NMoreira 2.0 and is based on the original NMoreira ransomware. In any case, it uses heavily modified encoding engine and the encryption cannot be broken yet.

IMPORTANT: If you suspect that you have just been infected by the virus there are still chances to salvage some of your files from being encrypted! It will take some time for the virus to encrypt your files before it finishes and displays the ransom note. If you see increase in CPU and RAM usage as well as hard disk space usage, shut down the computer immediately in order to prevent the damage. Then follow our instructions below on how to remove it from your system.

After the virus finishes encrypting the files it creates a ransom note called Recovers files yako.html which has instructions on how to contact the creators through Bitmessage and pay the ransom. The ransom size is different across each case but usually varies between 1 to 3 Bitcoins.

Do not open the ransom note as it might have a trojan in itself.

This is a typical ransom note:

Encrypted files!
All your files are encrypted.Using AES256-bit encryption and RSA-2048-bit encryption.
Making it impossible to recover files without the correct private key.
If you are interested in getting is the key and recover your files
You should proceed with the following steps.
–
To get in touch you should use the Bitmessage system,
You can download the Bitmessage software at https://bitmessage.org/
After installation you should send a message to the address
Bitmsg: BM-***

If you prefer you can send your Bitmenssages from a web browser
Through the webpage https://bitmsg.me this is certainly the most practical method!
Below is a tutorial on how to send bitmessage via web browser: https://bitmsg.me/

1 B° Open in your browser the link
https://bitmsg.me/users/sign_up
Make the registration by entering name email and password.
2 B° You must confirm the registration, return to your email and follow the instructions that were sent.
3 B° Return to site sign in
https://bitmsg.me/users/sign_in
4 B° Click the Create Random address button.
5 B° Click the New massage button
6 B° Sending message

To: Enter address: BM-***
Subject: Enter your key: ***
Menssage: Describe what you think necessary
Click the Send message button.
Your message will be received and answered as soon as possible!.
Send message to: BM-***
Your Key: ***

We do not recommend paying the ransom as it does not guarantee that you will receive the files. It also leaves you vulnerable to future attacks. The cyber criminals will know that you are a paying victim so they might target you again. Instead, you should follow our guide and remove the threat completely.

Here are some screenshots of HakunaMatata virus in action. You might see slightly different warnings or instructions since the ransomware could be slightly modified in each case.

   


 Manual Removal Instructions:

NB: Removing the virus manually does not completely guarantee that the problem is solved permanently! Make sure to remove all potential threat sources as well (infected emails, suspicious downloaded files, etc.). Remember to secure your computer with a proper antivirus software after you have removed the injection.

We also recommend bookmarking this page as you might need to restart your computer in the process and come back later.

Step 1:

Reboot your Windows in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Now you will have to identify and remove any dangerous processes that could be related to the virus.

Press three buttons at the same time: CTRL + SHIFT + ESC to launch Windows Task Manager. Alternatively you can launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

It will list all currently running processes.

You will have to scan each suspicious process manually. We recommend scanning all processes as sometimes the virus hides in processes named as harmless programs.

Right-click on each of them and choose Open File Location.

Go to virustotal.com and upload that file for a scan.

If the file is detected as dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened before.

Repeat this with all processes.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your “hosts.ini” file will open in Notepad. If you see any suspicious IP at the end of the file you will need to delete it. Here is an example:

Step 4:

Check your startup config for any suspicious items.

Press and hold Windows () key and click R key while holding to open “Run” window again.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab.

Uncheck all entries that have “Unknown” as Manufacturer. Sometimes the entries might have a fake manufacturer, so use your common sense and uncheck anything potentially dangerous.

You can also hover your mouse over the “Command” field to see where the process is located.

Click OK when you are finished unselecting.

Step 5:

Clean up your registry entries.

Press and hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

Press keyboard buttons CTRL + F and enter:

hakunamatata

Click Find Next.

If you find any entry with the virus name, delete the registries by right-clicking on it and choosing Delete. Be careful to not delete important registry entries unrelated to the virus! Otherwise you might damage the file system! Registry is full of critical system entries that are needed for the Windows to work properly!

Repeat the “Find Next” and Delete procedure by searching again and deleting until no virus entries are left.

You can also search for “hakuna” instead of the full word.

Also, search for the following ransomware-related records using the folder tree on the left:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\.HakunaMatata file virus
  • HKEY_LOCAL_MACHINE\SOFTWARE\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101?
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas”
  • HKEY_CURRENT_USER\Software\.HakunaMatata file virus

Step 6:

Clean up Windows temporary files. HakunaMatata is known to operate from temporary files directory so you need to remove them all.

Do not worry: removing temporary files does not affect your computer as they are “temporary” for a reason.

Press and hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

A new directory will open with with a lot of temporary files and folders.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 7:

Check for any recent changes in all the other important system files.

Press and hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here. Just search for any recent changes (by “Date Modified”) in the files. If you see that the files have just been changed, then scan them with virustotal.com and remove only if they have been marked as dangerous. If there are no suspicious changes just leave everything as it is. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories:

%LocalAppData%
%ProgramData%
%WinDir%

Remember to be very careful with these directories as they contain many important files.

 Decrypting The Files:

You should move on to decrypting the files only if you have successfully removed the threat. If you feel that it might still be active you should repeat the cleanup process or simply download the removal tool recommended in the beginning of the article.

The success of getting back your files increases if you had backups enabled. Otherwise the recovery requires more complicated means.

Check for .HakunaMatata decryptor here first: List of currently available decryptors. To this date we have no information that .HakunaMatata decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. We recommend reading it. The instructions below are just a short version of the simplest methods.

Step 1:

Start by restoring the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Some variations of the virus might remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you restore from a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

Step 3:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files and wait for a HakunaMatata decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *