Home Malware Programs Ransomware HydraCrypt Ransomware

HydraCrypt Ransomware

Posted: February 4, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 35
First Seen: February 4, 2016
Last Seen: March 13, 2021
OS(es) Affected: Windows


The HydraCrypt Ransomware is a Trojan that encrypts the files on your PC and, then, sells a decryption solution. Its delivery strategies focus on using compromised Websites and browser exploits to install itself automatically, leaving victims unaware of the security breach until the Trojan takes their files hostage. A combination of robust backups, heavy browser security, and active anti-malware programs should be able to block any permanent damage from the HydraCrypt Ransomware's payload and remove the HydraCrypt Ransomware from infected PCs, when appropriate.

When Your Browser Says 'Hail Hydra... Ransomware'

The HydraCrypt Ransomware is a new threat in the ongoing EITest campaign, a threat-delivering strategy that embeds Flash loaders for the Angler Exploit Kit (or EK) on hacked Websites. Thousands of Websites are unwilling assistants in this campaign, with detection confused by the fact that redirects monitor their Web traffic and trigger only once per victim. PC users with sufficiently insecure Web browsers visiting a compromised site like that of the HarbourFront Centre NPO's homepage are forced through a drive-by-download for the HydraCrypt Ransomware without no visible symptoms.

The HydraCrypt Ransomware is a typical file encryptor, and scans for non-OS files, such as documents or images, and submits them to an encryption routine. Post-encryption, the files are unreadable, and can be identified by the HydraCrypt Ransomware's file name changes: an extra extension referencing the threat's name and a unique ID number. As is almost always true for file encrypting threats, although victims might be tempted to try deleting the new extensions for restoring their files, malware experts found the new names irrelevant to the underlying encryption process fundamentally.

The HydraCrypt Ransomware uses both image files and text documents for its ransom notes, which request cash payments, along with transferral of the ID number, before its admin supposedly will provide a decryption service. Somewhat whimsically, the HydraCrypt Ransomware's note design shows some overlap between threat authors and comic book fans by including direct references to Marvel's 'Hydra' organization of Nazi super-villains.

Lopping Off the Heads of a Data Encryptor

Aesthetics aside, the HydraCrypt Ransomware has shown most of the expected characteristics and limitations of other file encryptors. By keeping your files in safe locations, such as removable devices or Web servers, you can preserve all data without needing to overcome the HydraCrypt Ransomware's encryption routine. Means of keeping your browser safe from exploit kits include updating all software (which reduces the availability of vulnerabilities), blocking scripted content (a lynchpin in many Web attacks), and using anti-malware tools that can detect and block sites loading harmful content.

Malware experts also emphasize that domains responsible for installing the HydraCrypt Ransomware are not necessarily intentionally threatening, and often are merely the subject of lax Web security standards or misfortune. Web admins should be notified whenever appropriate, and be made aware that the attack scripts may respond differently to repeat traffic from the same IP addresses.

Finally, deleting the HydraCrypt Ransomware should be undertaken with all of the care you would give to uninstalling any high-level threat capable of exerting significant control over an infected computer. Use standard security procedures that can disable the HydraCrypt Ransomware, and then let your anti-malware products use automated means of removing all threats.

Unfortunately, there is no public decryptor available for the HydraCrypt Ransomware, which means that for incautious PC users, this software 'super-villain' could leave a lingering mark on their hard drives.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



C:\Users\<username>\Desktop\Malware\HydraCrypt\HydraCrypt.exe File name: HydraCrypt.exe
Size: 167.93 KB (167936 bytes)
MD5: 08b304d01220f9de63244b4666621bba
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\Desktop\Malware\HydraCrypt\HydraCrypt.exe
Group: Malware file
Last Updated: November 16, 2021
file.exe File name: file.exe
Size: 155.64 KB (155648 bytes)
MD5: 7469c1ee0827a289fa775f4a5656e5f9
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 7, 2020
file.exe File name: file.exe
Size: 167.93 KB (167936 bytes)
MD5: 5f2d13576e4906501c91b8bf400e0890
Detection count: 1
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 4, 2016

Related Posts

Loading...