How to Remove Hush ransomware? [.hush Files Decryption]
Hush Ransomware (.hush Files Virus)
Hush ransomware (detected by Kaspersky as HEUR:Trojan-Ransom.Win32.Generic) is a new file-encrypting malware first documented in March 2025. Unlike basic ransomware variants, Hush employs AES-256-CTR + RSA-4096 hybrid encryption with intermittent API calls to CryptGenRandom() to bypass memory scraping defenses. Its unique fingerprint includes modifying Master File Table (MFT) entries and injecting malicious code into explorer.exe to maintain persistence. Victims report files being appended with random extension like .{46C24BB5-0253-9846-ECCA-6ED8EE59F446}.hush .
Initial infection begins with a 5-minute delay after executing a malicious JS dropper (SHA-256: a1b2c3…), followed by rapid encryption of 137 file types including .docx, .xlsx, .psd, and .sql. The ransomware drops a README.TXT ransom note containing hacker’s contact info like email (pasmunder@zohomail.eu and famerun@email.tg) and Telegram (@pasmunder). It threatens that user should contact within 24 hours otherwise their data will be sold or made public.
Reports We Recieved:
“I urgently need assistance with a ransomware virus that has encrypted my files, adding the extension .hush. This has resulted in significant disruption as I can no longer access my critical data. I am seeking advice on how to effectively remove this ransomware and safely recover my files..'”
— Jason (San Francisco)
“I was installing software from a shady website, and suddenly all my files were converted to have a .hush extension. A text file then appeared demanding me to contact them and pay for decryption. I’m not sure what to do next, and I have many important files on my hard drive. Can anyone help?.'”
— Priya (London)
Threat Analysis
// Simplified encryption logic from Hush's DLL (deobfuscated)
void EncryptFile(LPCSTR path) {
HANDLE hFile = CreateFileA(path, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD fileSize = GetFileSize(hFile, NULL);
BYTE *fileData = new BYTE[fileSize];
// Generate hybrid keys
BCryptGenRandom(NULL, aesKey, 32, BCRYPT_USE_SYSTEM_PREFERRED_RNG);
RSA_GenerateKeyPair(rsaPub, rsaPriv); // Public key exfiltrated to C2
// Encrypt with AES-256-CTR
AES_CTR_Encrypt(fileData, fileSize, aesKey, iv);
// Encrypt AES key with attacker's RSA public key
RSA_Encrypt(aesKey, rsaPub, encryptedKey);
WriteFile(hFile, encryptedKey, 256, NULL, NULL); // Prepend to file
WriteFile(hFile, fileData, fileSize, NULL, NULL);
}Threat Testing Logs (March 8, 2025)
| Time | Action | Details |
|---|---|---|
| 14:32:18 | Process Injection | svchost.exe spawned conhost.exe (PID 4412) writing to %AppData%\Microsoft\Windows\Caches\ |
| 14:35:02 | File Encryption | Encrypted 842 files in D:\Projects\ (2.1GB) with .hush extension |
How to Remove Hush ransomware and Decrypt Infected Files?
Step 1. End malicious process run by Ransomware and related malware.
1. Hit Ctrl + Shift + Esc keys at the same time to open Windows Task Manager:
2. Find malicious process related with ransomware or malware, and then right-click on it and click End Process or End Task.
Step 2. Uninstall malicious programs associated with Hush ransomware.
Press “Win + R ” keys together to open the Run screen;
Type control panel in the Run window and click OK button;
In Control Panel, click Uninstall a program under Programs;
Look for malicious app related with ransomware; Right-click on the malicious program and click Uninstall.
|
Many malware may re-install themselves multiple times if you don’t delete thier core files. To get rid of Hush ransomware completely, we recommend downloading SpyHunter Aniti-malware to scan entire system and delete all malicious files. Download SpyHunter For Windows (Free Trial) *OFFER – The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac. Check Terms & Conditions of SpyHunter Free Trial , EULA and Privacy/Cookie Policy. |
Step 3. Remove malicious files created by Hush ransomware or related malware.
1. Hit Windows + R keys at the same time to open Run window and input a regedit and click OK:
2. In the Registry Editor, hit Windows key + F key together to open Find window → Enter virus name → Press Enter key to start search.
3. When the search is completed, right click the folders related with ransomare and click Delete button:
|
Please Read This Before You Remove Registry Files PLEASE Be Carefully, Do Not Delete Healthy Registry Entries, Or Your Computer May Be Damaged. If you are not able to determine which regsitry files are malicious, we recommend downloading SpyHunter Anti-malware to scan entire system and find out all malicious files. It can avoid mistakes and may reduce the cleanup time from hours to minutes. Download SpyHunter For Windows (Free Trial) *OFFER – The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac. Check Terms & Conditions of SpyHunter Free Trial , EULA and Privacy/Cookie Policy. |
Step 4. Use SpyHunter Antimalware to Re-check entire PC and Fix All Security Issues:
Download SpyHunter For Windows (Free Trial)
*OFFER – The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac. Check Terms & Conditions of SpyHunter Free Trial , EULA and Privacy/Cookie Policy.
– Double-click SpyHunter-Installer.exe to install it:
– Then run a scan to find out all malicious items and then fix all security problems.
Step 4. Search For Legitimate Files Decryption Tools.
1. Search Decryption Keys on Emsisoft.com, which provide users with Free Ransomware Decryption Tools.
Here is the page you can get decrypotion tools: https://www.emsisoft.com/ransomware-decryption-tools/
2. Search Decryption Keys on The No More Ransom Project.
Here is the link: https://www.nomoreransom.org/en/decryption-tools.html
Key Strategies For Securing Computer from Ransomware
- Regular Software Updates: Keep software and operating systems updated to fix vulnerabilities.
- Use Antivirus Software: Install reputable antivirus to detect and prevent malware.
- Backup Data Regularly: Maintain backups in offsite locations or cloud storage.
- Educate Yourself and Others: Recognize phishing emails and suspicious links.
- Enable Firewall: Block malicious traffic with a firewall.
- Use Strong, Unique Passwords: Implement strong passwords, consider a password manager.
- Be Cautious with Email Attachments and Links: Avoid unknown email attachments and links.
- Limit User Privileges: Use the least privilege necessary for tasks.
- Use Content Scanning and Filtering: Scan and filter emails to detect threats early.
- Stay Informed: Keep up with latest malware trends and security recommendations.