HDDCryptor ransomware / virus (Improved Guide) - updated Dec 2016
HDDCryptor virus Removal Guide
What is HDDCryptor ransomware virus?
HDDCryptor infection: what are risks?
HDDCryptor virus is ransomware-type virus which grounds its data encryption capacities on Master Boot Record (MBR) [1] alterations. These changes enable the parasite to block its victims from booting their computers properly and accessing any documents or programs stored on it. This way, the virus creators ensure that HDDCryptor removal is particularly complex, and the regular computer users are left with no other option but to pay the virus creators for the ability to have a functioning device once again. This is the main working principle of the majority of ransomware infections [2]. Sadly, this principle brings the criminals success more often than it should. Frightened victims are ready to pay the money without evaluating other potential options of the data retrieval. We also urge you not to rush with the money transfer and decide whether it is really worth paying after reading this article. If you have already decided on the virus removal, we recommend taking all the security measures possible. First of all, do not try eliminating the virus yourself and use the professional and legitimate software for this purpose. FortectIntego is one of the options.
As we have already mentioned, HDDCryptor ransomware differs from the majority of ransomware infections because it involves alteration of the MBR. Nevertheless, it is not a completely novel practice among the virus creators. In fact, a few of the famous ransomware, such as Satana, Petya or Mischa are known for messing with these settings, too. An aspect on which HDDCryptor really differs from the rest of its kind is the integration of the open source tools [3] in the process of system scanning and data encryption. For instance, the virus uses a tool called Network Password Recovery to scan the system for the network-shared folder credentials and employs DiskCryptor to encrypt the files located on the computer’s hard drives and the data possibly obtained after using the tool discussed previously. Adding to the file encryption, smooth booting of the computer also gets interrupted. So, instead of loading your regular start screen properly, the boot stops and displays a black screen featuring a ransom note. In this note, the criminals provide an email address which the victims have to address in order to receive further data recovery instructions. At the moment of writing, the ransom reaches 1 Bitcoin (around 610 USD) and has to be paid straight into the criminal’s Bitcoin wallet. That’s how the crooks protect their identities and weasel their way out of this criminal offense unpunished. Do not lift their spirits and motivation even more by sending these hackers your money and better hurry to remove HDDCryptor from your PC as soon as possible.
From the very beginning, HDDCryptor was a threat to individual computer users, but now it is becoming a serious problem to larger organizations as well. In particular, this virus has been spotted in one of the Canadian universities [4], asking 39 Bitcoin for the regained access to all campus computers, while individual devices could be decrypted for 2 Bitcoin. Early on after discovering about the infection Carleton University representatives started tweeting about “network issues” and warning the students against using the university’s internal network. The IT department had to shut down the service completely before the issue is resolved. More detailed information about this incident is yet to be disclosed, so follow us to learn about first.
What are your options for data protection against ransomware?
Since viruses nowadays do not have much difficulty invading computers, aggravation of this task has become more important than ever before. Nevertheless, even the most professional and sophisticated antivirus utilities cannot be fully trusted as ransomware like HDDCryptor are often good at bypassing the defense. Frankly, any crack in your computer’s security can result in data loss. Thus, the people who have some important data on their devices should also consider data backup [5] option. It is a much more guaranteed technique of data protection as it involves storing the documents on external drives, disconnected from the network. Consequently, such data becomes inaccessible to the ransomware which works via the network. Please note that external storage drives are NOT resistant to the ransomware infections, so, in the case of the HDDCryptor, this infection has to be removed from the computer completely, before you try restoring files from these devices.
Remove HDDCryptor
If you are already thinking about the HDDCryptor removal, you should do a quick checkup of your gear. Make sure a reputable antivirus software is installed on the infected device and check it for the newest updates. Keep in mind that such utility should be obtained legally and have a full system scan function available. When everything’s set up, you can proceed with the virus elimination. Please be aware that HDDCryptor virus may struggle on its way out and prepare yourself for such a challenge. Please have the virus decontamination instructions at hand, in case your antivirus utility is blocked from running. You will find these instructions below next to the additional data recovery guide. If you still can’t remove HDDCryptor, do not hesitate to contact our experts via the Ask Us panel.
Getting rid of HDDCryptor virus. Follow these steps
Manual removal using Safe Mode
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove HDDCryptor using System Restore
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of HDDCryptor. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove HDDCryptor from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by HDDCryptor, you can use several methods to restore them:
Data Recovery Pro method
If you want to have quick data recovery results, you can try out specialized software like Data Recovery Pro. This software automatically scans the computer and tries to recover a variety of data types, so this solution is especially useful for the users who have less proficient computer skills. Below are the steps you will need to complete to recover your data using Data Recovery Pro.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by HDDCryptor ransomware;
- Restore them.
Windows Previous Versions feature method
First of all, we should note that the System Restore function is necessary for the Windows Previous Versions to work properly. If it has been enabled before the HDDCryptor virus attack, follow the steps provided below. If not — you can proceed to other methods of data recovery.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer method
ShadowExplorer method is a commonly used technique used for recovering data after ransomware infiltration. Nevertheless, it is not always successful because some ransomware delete the Volume Shadow Copies needed for the ShadowExplorer to recover your data. If HDDCryptor was not programmed to delete them, follow the steps below to recover your data:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HDDCryptor and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.
- ^ Master Boot Record (MBR). Whatis from TechTarget.
- ^ Ransomware. Trend Micro blog.
- ^ Open-Source Tools. Techopedia: tech terms explained.
- ^ Matthew Braga. Carleton University computers infected with ransomware. CBC news. Technology and Science.
- ^ Lucia Danes. Preventing Locky virus: 5 tips for taking control. 2-spyware.com latest virus news.