HKCrypt ransomware is a now decryptable crypto-locker that demands 0.5 BTC after file encryption

HKCrypt ransomware is file locking malware that was first spotted back in September 2017, although it is still an active virus. Malware targets a variety of files after its entrance via spam emails, unprotected RDP, infected installers, fake updates, or other methods. It uses the RC4 encryption[1] algorithm to modify data and then appends .hacked extension (for this reason, the threat has also been called Hacked ransomware). The virus creates its own process and shows a fake Windows update window during the encryption process. In addition to file ciphering, HKCrypt ransomware also swaps the original desktop wallpaper to hacked.jpg and drops a ransom note that comes in four languages: English (@readme_English.txt or How_to_decrypt_files.txt), Italian (@Leggimi_decrypt_Italian.txt), and Spanish (@Readme_Spanish.txt). In the note, the attackers explain what happened to their data and that they need to transfer 0.5 BTC in order to retrieve a decryptor. Fortunately, thanks to Emsisoft security experts, HKCrypt ransomware is now decryptable.
| Name | HKCrypt ransomware |
| Also known as | Hacked ransomware |
| Type | Crypto virus |
| Cipher | RC4 |
| File extension | .hacked |
| Ransom note | @readme_English.txt, How_to_decrypt_files.txt, @Leggimi_decrypt_Italian.txt, @Readme_Spanish.txt |
| Related files | hacked.jpg, Hacked.exe |
| Contact email | payment.hkdecrypt@mail.ru |
| Ransom size | 0.5 BTC |
| Bitcoin wallet | 131mixvnmnijg1lDP3ZrTTakx3qJLpb675o |
| Decryptable? | Yes. Download the decryptor from Emsisoft |
| Termination | Use FortectIntego or other security application that can recognize[2] the threat |
HKCrypt virus can infect machines using variety of methods, including:
- Spam email attachments or hyperlinks;
- Unprotected Remote Desktop Protocol connections;[3]
- Fake updates;
- Repacked/pirated software or its cracks;
- Exploit kits, etc.
Once inside, HKCrypt ransomware runs a process (cmd.exe/C schtasks.exe/Create/sc minute/mo10/tn Microsoftfix/TR [malware_path]) that spawns a fake Windows Update window to mislead users and perform the encryption operation without interruptions. It also creates a new service Microsoftfix.
After that HKCrypt virus targets a variety of extensions, including .xlc, .mp3, .rar, .jpeg, .doc, .cpp, .xlsx, and many others, and then appends .hacked file extension, which prevents victims from opening any of them. After that, it will spawn a pop-up window and drop ransom notes in various languages on the desktop. The ransom note states the following:
All of your files were protected by a strong encryption with RSA4096
What happened to my files ?
Decrypting of your files is only possible with the help of private key and decrypHow can i get my files back ?
the only way to restore your files So, there are two ways you can choose
1- wait for a miracle and get your price doubled
2- or restore your data easy way if you have really valuable data
you better not waste your time, because there is no other way to get your files, except make
a paymentWhat should i do next ? Buy decryption key
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.5 BTC to address: 131mixVnmnijg1DPJZrTTakX3qJLpb675o
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at
payment.hkdecryp@protonmail.com
5. Write subject of your mail with : HACKED
6. Write content of your mail with : – Restore my files Bitcoin payment : (YOUR BITCOIN
TRANSACTION ID)
As we already mentioned, there is no need to pay cybercriminals as the decryptor is now released. But first, you have to focus on HKCrypt ransomware removal. You can accomplish that by using security software that can recognize the threat – we recommend using FortectIntego which is based on Avira scan engine.

Once you remove HKCrypt ransomware from the device, you should either connect your backup and copy the files over, use the official decryptor or take advantage of third-party software. Because the decryption tool is available, the additional recovery programs might not be required, but in a case, the tool does not work, we provide with a detailed guide how to use alternative recovery software below.
Be aware of tricks that hackers use to propagate ransomware
Attackers behind ransomware-type viruses are sophisticated people, so they come up with multiple different distribution methods to spread malware. One of the most common ways is to insert the malicious payload into spam email attachments or hyperlinks. Phishing emails are nothing new and are still just effective as it was a decade ago.
While email providers have built-in scanners that flag the suspicious emails, some of them might still slip through into your Inbox. Therefore, always watch for phishing signs, such as grammar or spelling mistakes, deceptive “From” address, body text that urges you to open the attachment or clicking on a link or facing some sort of consequences, etc. If you aren't sure, you should scan links or attachments with tools like Virus Total.
Other ways to protect yourself from ransomware:
- Install reputable security software with real-time scanning feature;
- Use firewall;
- Backup your files regularly;
- Patch your operating system and installed software as soon as updates are available;
- Do not trust fake Flash Player updates that pop-up on random sites;
- Use ad-blocker;
- Use strong passwords for all your accounts using a passwords manager and two-factor authentication.
Terminate HKCrypt ransomware infection and then proceed with file recovery
As we already mentioned, you need to remove HKCrypt ransomware before you can attempt to recover your data. To do that, you should employ reputable security software, such as FortectIntego, although other tools might do the job as well. In case the virus is tampering with your security software, you should take advantage of Safe Mode with Networking. We explain how to enter it below.
Once you are finished with HKCrypt ransomware removal, you can then download the decryptor created by security researchers from Emsisoft. Nevertheless, in some rare cases, it might not work for your files. In such a case, make use of your recovery instructions below – we provide the list of solutions together with download links.
Was this guide helpful?
Be the first to comment