HKCrypt ransomware (Removal Instructions) - Bonus: Decryption Steps

HKCrypt virus Removal Guide

What is HKCrypt ransomware?

HKCrypt ransomware is a now decryptable crypto-locker that demands 0.5 BTC after file encryption

HKCrypt ransomwareHKCrypt ransomware is a file locking virus that can be decrypted

HKCrypt ransomware is file locking malware that was first spotted back in September 2017, although it is still an active virus. Malware targets a variety of files after its entrance via spam emails, unprotected RDP, infected installers, fake updates, or other methods. It uses the RC4 encryption[1] algorithm to modify data and then appends .hacked extension (for this reason, the threat has also been called Hacked ransomware). The virus creates its own process and shows a fake Windows update window during the encryption process. In addition to file ciphering, HKCrypt ransomware also swaps the original desktop wallpaper to hacked.jpg and drops a ransom note that comes in four languages: English (@readme_English.txt or How_to_decrypt_files.txt), Italian (@Leggimi_decrypt_Italian.txt), and Spanish (@Readme_Spanish.txt). In the note, the attackers explain what happened to their data and that they need to transfer 0.5 BTC in order to retrieve a decryptor. Fortunately, thanks to Emsisoft security experts, HKCrypt ransomware is now decryptable.

Name HKCrypt ransomware
Also known as Hacked ransomware
Type Crypto virus
Cipher RC4
File extension .hacked
Ransom note @readme_English.txt, How_to_decrypt_files.txt, @Leggimi_decrypt_Italian.txt, @Readme_Spanish.txt
Related files hacked.jpg, Hacked.exe
Contact email payment.hkdecrypt@mail.ru
Ransom size 0.5 BTC
Bitcoin wallet 131mixvnmnijg1lDP3ZrTTakx3qJLpb675o
Decryptable? Yes. Download the decryptor from Emsisoft
Termination Use FortectIntego or other security application that can recognize[2] the threat

HKCrypt virus can infect machines using variety of methods, including:

  • Spam email attachments or hyperlinks;
  • Unprotected Remote Desktop Protocol connections;[3]
  • Fake updates;
  • Repacked/pirated software or its cracks;
  • Exploit kits, etc.

Once inside, HKCrypt ransomware runs a process (cmd.exe/C schtasks.exe/Create/sc minute/mo10/tn Microsoftfix/TR [malware_path]) that spawns a fake Windows Update window to mislead users and perform the encryption operation without interruptions. It also creates a new service Microsoftfix.

After that HKCrypt virus targets a variety of extensions, including .xlc, .mp3, .rar, .jpeg, .doc, .cpp, .xlsx, and many others, and then appends .hacked file extension, which prevents victims from opening any of them. After that, it will spawn a pop-up window and drop ransom notes in various languages on the desktop. The ransom note states the following:

All of your files were protected by a strong encryption with RSA4096

What happened to my files ?
Decrypting of your files is only possible with the help of private key and decryp

How can i get my files back ?
the only way to restore your files So, there are two ways you can choose
1- wait for a miracle and get your price doubled
2- or restore your data easy way if you have really valuable data
you better not waste your time, because there is no other way to get your files, except make
a payment

What should i do next ? Buy decryption key
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.5 BTC to address: 131mixVnmnijg1DPJZrTTakX3qJLpb675o
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at
payment.hkdecryp@protonmail.com
5. Write subject of your mail with : HACKED
6. Write content of your mail with : – Restore my files Bitcoin payment : (YOUR BITCOIN
TRANSACTION ID)

As we already mentioned, there is no need to pay cybercriminals as the decryptor is now released. But first, you have to focus on HKCrypt ransomware removal. You can accomplish that by using security software that can recognize the threat – we recommend using FortectIntego which is based on Avira scan engine.

HKCrypt ransomware virusHKCrypt is a ransomware-type virus that uses RC4 cipher to lock up data and then demands 0.5 BTC for file decryptor

Once you remove HKCrypt ransomware from the device, you should either connect your backup and copy the files over, use the official decryptor or take advantage of third-party software. Because the decryption tool is available, the additional recovery programs might not be required, but in a case, the tool does not work, we provide with a detailed guide how to use alternative recovery software below.

Be aware of tricks that hackers use to propagate ransomware

Attackers behind ransomware-type viruses are sophisticated people, so they come up with multiple different distribution methods to spread malware. One of the most common ways is to insert the malicious payload into spam email attachments or hyperlinks. Phishing emails are nothing new and are still just effective as it was a decade ago.

While email providers have built-in scanners that flag the suspicious emails, some of them might still slip through into your Inbox. Therefore, always watch for phishing signs, such as grammar or spelling mistakes, deceptive “From” address, body text that urges you to open the attachment or clicking on a link or facing some sort of consequences, etc. If you aren't sure, you should scan links or attachments with tools like Virus Total.

Other ways to protect yourself from ransomware:

  • Install reputable security software with real-time scanning feature;
  • Use firewall;
  • Backup your files regularly;
  • Patch your operating system and installed software as soon as updates are available;
  • Do not trust fake Flash Player updates that pop-up on random sites;
  • Use ad-blocker;
  • Use strong passwords for all your accounts using a passwords manager and two-factor authentication.

Terminate HKCrypt ransomware infection and then proceed with file recovery

As we already mentioned, you need to remove HKCrypt ransomware before you can attempt to recover your data. To do that, you should employ reputable security software, such as FortectIntego, although other tools might do the job as well. In case the virus is tampering with your security software, you should take advantage of Safe Mode with Networking. We explain how to enter it below.

Once you are finished with HKCrypt ransomware removal, you can then download the decryptor created by security researchers from Emsisoft. Nevertheless, in some rare cases, it might not work for your files. In such a case, make use of your recovery instructions below – we provide the list of solutions together with download links.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of HKCrypt virus. Follow these steps

Manual removal using Safe Mode

To remove HKCrypt virus without disruptions, enter Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove HKCrypt using System Restore

System Restore is another method that can be used to terminate the ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of HKCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that HKCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove HKCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by HKCrypt, you can use several methods to restore them:

Data Recovery Pro is a powerful tool that might help you

Do not pay the hackers if your files are locked with .hacked, as the official tool is now released. Also, you can make use of our alternative solutions that we provide below.

While Data Recovery Pro is not initially created to help ransomware victims, it might be a great use sometimes.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by HKCrypt ransomware;
  • Restore them.

Take advantage of Windows Previous Versions Feature

This method can only be activated if you had System Restore function enabled before the attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Under certain circumstances, ShadowExplorer might recover all your data

In case Hacked ransomware failed to delete Shadow Volume Copies, ShadowExplorer is the best tool to use for file recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Make use of Emsisoft decryptor

Emsisoft security experts recently released an official decryptor that can be downloaded from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HKCrypt and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References