HydraCrypt Ransomware

The HydraCrypt Ransomware is a Trojan that encrypts the files on your PC and, then, sells a decryption solution. Its delivery strategies focus on using compromised Websites and browser exploits to install itself automatically, leaving victims unaware of the security breach until the Trojan takes their files hostage. A combination of robust backups, heavy browser security, and active anti-malware programs should be able to block any permanent damage from the HydraCrypt Ransomware's payload and remove the HydraCrypt Ransomware from infected PCs, when appropriate.

When Your Browser Says 'Hail Hydra... Ransomware'

The HydraCrypt Ransomware is a new threat in the ongoing EITest campaign, a threat-delivering strategy that embeds Flash loaders for the Angler Exploit Kit (or EK) on hacked Websites. Thousands of Websites are unwilling assistants in this campaign, with detection confused by the fact that redirects monitor their Web traffic and trigger only once per victim. PC users with sufficiently insecure Web browsers visiting a compromised site like that of the HarbourFront Centre NPO's homepage are forced through a drive-by-download for the HydraCrypt Ransomware without no visible symptoms.

The HydraCrypt Ransomware is a typical file encryptor, and scans for non-OS files, such as documents or images, and submits them to an encryption routine. Post-encryption, the files are unreadable, and can be identified by the HydraCrypt Ransomware's file name changes: an extra extension referencing the threat's name and a unique ID number. As is almost always true for file encrypting threats, although victims might be tempted to try deleting the new extensions for restoring their files, malware experts found the new names irrelevant to the underlying encryption process fundamentally.

The HydraCrypt Ransomware uses both image files and text documents for its ransom notes, which request cash payments, along with transferral of the ID number, before its admin supposedly will provide a decryption service. Somewhat whimsically, the HydraCrypt Ransomware's note design shows some overlap between threat authors and comic book fans by including direct references to Marvel's 'Hydra' organization of Nazi super-villains.

Lopping Off the Heads of a Data Encryptor

Aesthetics aside, the HydraCrypt Ransomware has shown most of the expected characteristics and limitations of other file encryptors. By keeping your files in safe locations, such as removable devices or Web servers, you can preserve all data without needing to overcome the HydraCrypt Ransomware's encryption routine. Means of keeping your browser safe from exploit kits include updating all software (which reduces the availability of vulnerabilities), blocking scripted content (a lynchpin in many Web attacks), and using anti-malware tools that can detect and block sites loading harmful content.

Malware experts also emphasize that domains responsible for installing the HydraCrypt Ransomware are not necessarily intentionally threatening, and often are merely the subject of lax Web security standards or misfortune. Web admins should be notified whenever appropriate, and be made aware that the attack scripts may respond differently to repeat traffic from the same IP addresses.

Finally, deleting the HydraCrypt Ransomware should be undertaken with all of the care you would give to uninstalling any high-level threat capable of exerting significant control over an infected computer. Use standard security procedures that can disable the HydraCrypt Ransomware, and then let your anti-malware products use automated means of removing all threats.

Unfortunately, there is no public decryptor available for the HydraCrypt Ransomware, which means that for incautious PC users, this software 'super-villain' could leave a lingering mark on their hard drives.

Technical Details