Severity scale:  
  (67/100)

Remove HKCrypt ransomware (Removal Instructions) - Bonus: Decryption Steps

removal by Gabriel E. Hall - - | Type: Ransomware

HKCrypt ransomware is a now decryptable crypto-locker that demands 0.5 BTC after file encryption

HKCrypt ransomware
HKCrypt ransomware is a file locking virus that can be decrypted

HKCrypt ransomware is file locking malware that was first spotted back in September 2017, although it is still an active virus. Malware targets a variety of files after its entrance via spam emails, unprotected RDP, infected installers, fake updates, or other methods. It uses the RC4 encryption[1] algorithm to modify data and then appends .hacked extension (for this reason, the threat has also been called Hacked ransomware). The virus creates its own process and shows a fake Windows update window during the encryption process. In addition to file ciphering, HKCrypt ransomware also swaps the original desktop wallpaper to hacked.jpg and drops a ransom note that comes in four languages: English (@readme_English.txt or How_to_decrypt_files.txt), Italian (@Leggimi_decrypt_Italian.txt), and Spanish (@Readme_Spanish.txt). In the note, the attackers explain what happened to their data and that they need to transfer 0.5 BTC in order to retrieve a decryptor. Fortunately, thanks to Emsisoft security experts, HKCrypt ransomware is now decryptable.

Name HKCrypt ransomware
Also known as Hacked ransomware
Type Crypto virus
Cipher RC4
File extension .hacked
Ransom note @readme_English.txt, How_to_decrypt_files.txt, @Leggimi_decrypt_Italian.txt, @Readme_Spanish.txt
Related files hacked.jpg, Hacked.exe
Contact email payment.hkdecrypt@mail.ru
Ransom size 0.5 BTC
Bitcoin wallet 131mixvnmnijg1lDP3ZrTTakx3qJLpb675o
Decryptable? Yes. Download the decryptor from Emsisoft
Termination Use Reimage Reimage Cleaner or other security application that can recognize[2] the threat

HKCrypt virus can infect machines using variety of methods, including:

  • Spam email attachments or hyperlinks;
  • Unprotected Remote Desktop Protocol connections;[3]
  • Fake updates;
  • Repacked/pirated software or its cracks;
  • Exploit kits, etc.

Once inside, HKCrypt ransomware runs a process (cmd.exe/C schtasks.exe/Create/sc minute/mo10/tn Microsoftfix/TR [malware_path]) that spawns a fake Windows Update window to mislead users and perform the encryption operation without interruptions. It also creates a new service Microsoftfix.

After that HKCrypt virus targets a variety of extensions, including .xlc, .mp3, .rar, .jpeg, .doc, .cpp, .xlsx, and many others, and then appends .hacked file extension, which prevents victims from opening any of them. After that, it will spawn a pop-up window and drop ransom notes in various languages on the desktop. The ransom note states the following:

All of your files were protected by a strong encryption with RSA4096

What happened to my files ?
Decrypting of your files is only possible with the help of private key and decryp

How can i get my files back ? 
the only way to restore your files So, there are two ways you can choose
1- wait for a miracle and get your price doubled
2- or restore your data easy way if you have really valuable data
you better not waste your time, because there is no other way to get your files, except make 
a payment

What should i do next ? Buy decryption key
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of  0.5 BTC to address: 131mixVnmnijg1DPJZrTTakX3qJLpb675o
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at 
payment.hkdecryp@protonmail.com
5. Write subject of your mail with :  HACKED
6. Write content of your mail with : – Restore my files Bitcoin payment : (YOUR BITCOIN 
TRANSACTION ID)

As we already mentioned, there is no need to pay cybercriminals as the decryptor is now released. But first, you have to focus on HKCrypt ransomware removal. You can accomplish that by using security software that can recognize the threat – we recommend using Reimage Reimage Cleaner which is based on Avira scan engine.

HKCrypt ransomware virus
HKCrypt is a ransomware-type virus that uses RC4 cipher to lock up data and then demands 0.5 BTC for file decryptor

Once you remove HKCrypt ransomware from the device, you should either connect your backup and copy the files over, use the official decryptor or take advantage of third-party software. Because the decryption tool is available, the additional recovery programs might not be required, but in a case, the tool does not work, we provide with a detailed guide how to use alternative recovery software below.

Be aware of tricks that hackers use to propagate ransomware

Attackers behind ransomware-type viruses are sophisticated people, so they come up with multiple different distribution methods to spread malware. One of the most common ways is to insert the malicious payload into spam email attachments or hyperlinks. Phishing emails are nothing new and are still just effective as it was a decade ago.

While email providers have built-in scanners that flag the suspicious emails, some of them might still slip through into your Inbox. Therefore, always watch for phishing signs, such as grammar or spelling mistakes, deceptive “From” address, body text that urges you to open the attachment or clicking on a link or facing some sort of consequences, etc. If you aren't sure, you should scan links or attachments with tools like Virus Total.

Other ways to protect yourself from ransomware:

  • Install reputable security software with real-time scanning feature;
  • Use firewall;
  • Backup your files regularly;
  • Patch your operating system and installed software as soon as updates are available;
  • Do not trust fake Flash Player updates that pop-up on random sites;
  • Use ad-blocker;
  • Use strong passwords for all your accounts using a passwords manager and two-factor authentication.

Terminate HKCrypt ransomware infection and then proceed with file recovery

As we already mentioned, you need to remove HKCrypt ransomware before you can attempt to recover your data. To do that, you should employ reputable security software, such as Reimage Reimage Cleaner , although other tools might do the job as well. In case the virus is tampering with your security software, you should take advantage of Safe Mode with Networking. We explain how to enter it below.

Once you are finished with HKCrypt ransomware removal, you can then download the decryptor created by security researchers from Emsisoft. Nevertheless, in some rare cases, it might not work for your files. In such a case, make use of your recovery instructions below – we provide the list of solutions together with download links.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove HKCrypt virus, follow these steps:

Remove HKCrypt using Safe Mode with Networking

To remove HKCrypt virus without disruptions, enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove HKCrypt

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete HKCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove HKCrypt using System Restore

System Restore is another method that can be used to terminate the ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of HKCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that HKCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove HKCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by HKCrypt, you can use several methods to restore them:

Data Recovery Pro is a powerful tool that might help you

Do not pay the hackers if your files are locked with .hacked, as the official tool is now released. Also, you can make use of our alternative solutions that we provide below.

While Data Recovery Pro is not initially created to help ransomware victims, it might be a great use sometimes.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by HKCrypt ransomware;
  • Restore them.

Take advantage of Windows Previous Versions Feature

This method can only be activated if you had System Restore function enabled before the attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Under certain circumstances, ShadowExplorer might recover all your data

In case Hacked ransomware failed to delete Shadow Volume Copies, ShadowExplorer is the best tool to use for file recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Make use of Emsisoft decryptor

Emsisoft security experts recently released an official decryptor that can be downloaded from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HKCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References


Your opinion regarding HKCrypt ransomware