HakunaMatata Ransom Note

HakunaMatata is a ransomware spreading via email spam. It starts encrypting user files as soon as it is launched on the computer. It comes from the Nmoreia ransomware and can be called Nmoreira 2.0.

Once the files are encrypted using AES-256 and RSA-2048 algorithms the original files are deleted while the encrypted ones start bearing a ".HakunaMatata" extension (hence the name).

It is known to delete the shadow copies in order to make file recovery harder. It uses the following commands upon launch:

cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet vssadmin.exe 

Delete Shadows /All /Quiet

HakunaMatata does not ask for a specific amount of money. Instead, it provides a BitMessage link which is used to contact the malware creators.

Files associated with this ransomware:

  • Recovers files yako.html
  • <random>.exe
  • <random>.tmp
  • crypter_191_.exe
  • net1.exe
  • wevtutil.exe


Community content is available under CC-BY-SA unless otherwise noted.