HKCrypt ransomware (Removal Instructions) - Bonus: Decryption Steps
HKCrypt virus Removal Guide
What is HKCrypt ransomware?
HKCrypt ransomware is a now decryptable crypto-locker that demands 0.5 BTC after file encryption
HKCrypt ransomware is a file locking virus that can be decrypted
HKCrypt ransomware is file locking malware that was first spotted back in September 2017, although it is still an active virus. Malware targets a variety of files after its entrance via spam emails, unprotected RDP, infected installers, fake updates, or other methods. It uses the RC4 encryption algorithm to modify data and then appends .hacked extension (for this reason, the threat has also been called Hacked ransomware). The virus creates its own process and shows a fake Windows update window during the encryption process. In addition to file ciphering, HKCrypt ransomware also swaps the original desktop wallpaper to hacked.jpg and drops a ransom note that comes in four languages: English (@readme_English.txt or How_to_decrypt_files.txt), Italian (@Leggimi_decrypt_Italian.txt), and Spanish (@Readme_Spanish.txt). In the note, the attackers explain what happened to their data and that they need to transfer 0.5 BTC in order to retrieve a decryptor. Fortunately, thanks to Emsisoft security experts, HKCrypt ransomware is now decryptable.
|Also known as||Hacked ransomware|
|Ransom note||@readme_English.txt, How_to_decrypt_files.txt, @Leggimi_decrypt_Italian.txt, @Readme_Spanish.txt|
|Related files||hacked.jpg, Hacked.exe|
|Ransom size||0.5 BTC|
|Decryptable?||Yes. Download the decryptor from Emsisoft|
|Termination||Use RestoroIntego or other security application that can recognize the threat|
HKCrypt virus can infect machines using variety of methods, including:
- Spam email attachments or hyperlinks;
- Unprotected Remote Desktop Protocol connections;
- Fake updates;
- Repacked/pirated software or its cracks;
- Exploit kits, etc.
Once inside, HKCrypt ransomware runs a process (cmd.exe/C schtasks.exe/Create/sc minute/mo10/tn Microsoftfix/TR [malware_path]) that spawns a fake Windows Update window to mislead users and perform the encryption operation without interruptions. It also creates a new service Microsoftfix.
After that HKCrypt virus targets a variety of extensions, including .xlc, .mp3, .rar, .jpeg, .doc, .cpp, .xlsx, and many others, and then appends .hacked file extension, which prevents victims from opening any of them. After that, it will spawn a pop-up window and drop ransom notes in various languages on the desktop. The ransom note states the following:
All of your files were protected by a strong encryption with RSA4096
What happened to my files ?
Decrypting of your files is only possible with the help of private key and decryp
How can i get my files back ?
the only way to restore your files So, there are two ways you can choose
1- wait for a miracle and get your price doubled
2- or restore your data easy way if you have really valuable data
you better not waste your time, because there is no other way to get your files, except make
What should i do next ? Buy decryption key
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.5 BTC to address: 131mixVnmnijg1DPJZrTTakX3qJLpb675o
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at
5. Write subject of your mail with : HACKED
6. Write content of your mail with : – Restore my files Bitcoin payment : (YOUR BITCOIN
As we already mentioned, there is no need to pay cybercriminals as the decryptor is now released. But first, you have to focus on HKCrypt ransomware removal. You can accomplish that by using security software that can recognize the threat – we recommend using RestoroIntego which is based on Avira scan engine.
HKCrypt is a ransomware-type virus that uses RC4 cipher to lock up data and then demands 0.5 BTC for file decryptor
Once you remove HKCrypt ransomware from the device, you should either connect your backup and copy the files over, use the official decryptor or take advantage of third-party software. Because the decryption tool is available, the additional recovery programs might not be required, but in a case, the tool does not work, we provide with a detailed guide how to use alternative recovery software below.
Be aware of tricks that hackers use to propagate ransomware
Attackers behind ransomware-type viruses are sophisticated people, so they come up with multiple different distribution methods to spread malware. One of the most common ways is to insert the malicious payload into spam email attachments or hyperlinks. Phishing emails are nothing new and are still just effective as it was a decade ago.
While email providers have built-in scanners that flag the suspicious emails, some of them might still slip through into your Inbox. Therefore, always watch for phishing signs, such as grammar or spelling mistakes, deceptive “From” address, body text that urges you to open the attachment or clicking on a link or facing some sort of consequences, etc. If you aren't sure, you should scan links or attachments with tools like Virus Total.
Other ways to protect yourself from ransomware:
- Install reputable security software with real-time scanning feature;
- Use firewall;
- Backup your files regularly;
- Patch your operating system and installed software as soon as updates are available;
- Do not trust fake Flash Player updates that pop-up on random sites;
- Use ad-blocker;
- Use strong passwords for all your accounts using a passwords manager and two-factor authentication.
Terminate HKCrypt ransomware infection and then proceed with file recovery
As we already mentioned, you need to remove HKCrypt ransomware before you can attempt to recover your data. To do that, you should employ reputable security software, such as RestoroIntego, although other tools might do the job as well. In case the virus is tampering with your security software, you should take advantage of Safe Mode with Networking. We explain how to enter it below.
Once you are finished with HKCrypt ransomware removal, you can then download the decryptor created by security researchers from Emsisoft. Nevertheless, in some rare cases, it might not work for your files. In such a case, make use of your recovery instructions below – we provide the list of solutions together with download links.
Getting rid of HKCrypt virus. Follow these steps
Manual removal using Safe Mode
To remove HKCrypt virus without disruptions, enter Safe Mode with Networking:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove HKCrypt using System Restore
System Restore is another method that can be used to terminate the ransomware:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of HKCrypt. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove HKCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by HKCrypt, you can use several methods to restore them:
Data Recovery Pro is a powerful tool that might help you
Do not pay the hackers if your files are locked with .hacked, as the official tool is now released. Also, you can make use of our alternative solutions that we provide below.
While Data Recovery Pro is not initially created to help ransomware victims, it might be a great use sometimes.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by HKCrypt ransomware;
- Restore them.
Take advantage of Windows Previous Versions Feature
This method can only be activated if you had System Restore function enabled before the attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Under certain circumstances, ShadowExplorer might recover all your data
In case Hacked ransomware failed to delete Shadow Volume Copies, ShadowExplorer is the best tool to use for file recovery.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Make use of Emsisoft decryptor
Emsisoft security experts recently released an official decryptor that can be downloaded from here.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from HKCrypt and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ RC4. Wikipedia. The Free Encyclopedia.
- ^ Hacked.exe. Virus Total. File and URL scanner.
- ^ Olivia Morelli. Pinchy Spider group takes up Big game hunting with GandCrab. 2-spyware. Cybersecurity news and articles.