Severity scale:  

Remove HDDCryptor ransomware / virus (Improved Guide) - updated Dec 2016

removal by Olivia Morelli - - | Type: Ransomware

HDDCryptor infection: what are risks?

HDDCryptor virus is ransomware-type virus which grounds its data encryption capacities on Master Boot Record (MBR) [1] alterations. These changes enable the parasite to block its victims from booting their computers properly and accessing any documents or programs stored on it. This way, the virus creators ensure that HDDCryptor removal is particularly complex, and the regular computer users are left with no other option but to pay the virus creators for the ability to have a functioning device once again. This is the main working principle of the majority of ransomware infections [2]. Sadly, this principle brings the criminals success more often than it should. Frightened victims are ready to pay the money without evaluating other potential options of the data retrieval. We also urge you not to rush with the money transfer and decide whether it is really worth paying after reading this article. If you have already decided on the virus removal, we recommend taking all the security measures possible. First of all, do not try eliminating the virus yourself and use the professional and legitimate software for this purpose. Reimage Reimage Cleaner Intego is one of the options.

An image of HDDCryptor virus

As we have already mentioned, HDDCryptor ransomware differs from the majority of ransomware infections because it involves alteration of the MBR. Nevertheless, it is not a completely novel practice among the virus creators. In fact, a few of the famous ransomware, such as Satana, Petya or Mischa are known for messing with these settings, too. An aspect on which HDDCryptor really differs from the rest of its kind is the integration of the open source tools [3] in the process of system scanning and data encryption. For instance, the virus uses a tool called Network Password Recovery to scan the system for the network-shared folder credentials and employs DiskCryptor to encrypt the files located on the computer’s hard drives and the data possibly obtained after using the tool discussed previously. Adding to the file encryption, smooth booting of the computer also gets interrupted. So, instead of loading your regular start screen properly, the boot stops and displays a black screen featuring a ransom note. In this note, the criminals provide an email address which the victims have to address in order to receive further data recovery instructions. At the moment of writing, the ransom reaches 1 Bitcoin (around 610 USD) and has to be paid straight into the criminal’s Bitcoin wallet. That’s how the crooks protect their identities and weasel their way out of this criminal offense unpunished. Do not lift their spirits and motivation even more by sending these hackers your money and better hurry to remove HDDCryptor from your PC as soon as possible.

Questions about HDDCryptor ransomware virus

From the very beginning, HDDCryptor was a threat to individual computer users, but now it is becoming a serious problem to larger organizations as well. In particular, this virus has been spotted in one of the Canadian universities [4], asking 39 Bitcoin for the regained access to all campus computers, while individual devices could be decrypted for 2 Bitcoin. Early on after discovering about the infection Carleton University representatives started tweeting about “network issues” and warning the students against using the university’s internal network. The IT department had to shut down the service completely before the issue is resolved. More detailed information about this incident is yet to be disclosed, so follow us to learn about first.

What are your options for data protection against ransomware?

Since viruses nowadays do not have much difficulty invading computers, aggravation of this task has become more important than ever before. Nevertheless, even the most professional and sophisticated antivirus utilities cannot be fully trusted as ransomware like HDDCryptor are often good at bypassing the defense. Frankly, any crack in your computer’s security can result in data loss. Thus, the people who have some important data on their devices should also consider data backup [5] option. It is a much more guaranteed technique of data protection as it involves storing the documents on external drives, disconnected from the network. Consequently, such data becomes inaccessible to the ransomware which works via the network. Please note that external storage drives are NOT resistant to the ransomware infections, so, in the case of the HDDCryptor, this infection has to be removed from the computer completely, before you try restoring files from these devices.

Remove HDDCryptor 

If you are already thinking about the HDDCryptor removal, you should do a quick checkup of your gear. Make sure a reputable antivirus software is installed on the infected device and check it for the newest updates. Keep in mind that such utility should be obtained legally and have a full system scan function available. When everything’s set up, you can proceed with the virus elimination. Please be aware that HDDCryptor virus may struggle on its way out and prepare yourself for such a challenge. Please have the virus decontamination instructions at hand, in case your antivirus utility is blocked from running. You will find these instructions below next to the additional data recovery guide. If you still can’t remove HDDCryptor, do not hesitate to contact our experts via the Ask Us panel.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove HDDCryptor virus, follow these steps:

Remove HDDCryptor using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove HDDCryptor

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete HDDCryptor removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove HDDCryptor using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of HDDCryptor. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that HDDCryptor removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove HDDCryptor from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by HDDCryptor, you can use several methods to restore them:

Data Recovery Pro method

If you want to have quick data recovery results, you can try out specialized software like Data Recovery Pro. This software automatically scans the computer and tries to recover a variety of data types, so this solution is especially useful for the users who have less proficient computer skills. Below are the steps you will need to complete to recover your data using Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by HDDCryptor ransomware;
  • Restore them.

Windows Previous Versions feature method

First of all, we should note that the System Restore function is necessary for the Windows Previous Versions to work properly. If it has been enabled before the HDDCryptor virus attack, follow the steps provided below. If not — you can proceed to other methods of data recovery.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer method

ShadowExplorer method is a commonly used technique used for recovering data after ransomware infiltration. Nevertheless, it is not always successful because some ransomware delete the Volume Shadow Copies needed for the ShadowExplorer to recover your data. If HDDCryptor was not programmed to delete them, follow the steps below to recover your data:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HDDCryptor and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions