[Virus/Malware Activity Report: HydraCrypt Ransomware]

A breach believed to be in the form of HydraCrypt ransomware has occurred,
so we would like to confirm the situation and provide a warning as follows.

HydraCrypt ransomware

The ransomware is called HydraCrypt and appears to be changing all files with the following extension: existing name. existing extension. hydracrypt_ID_private key.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Stop VSS service

  Stop the Windows Volume Shadow Copy Service (VSS) service to prevent future work from being restored.

  
  [Figure 3 Stop VSS service]

• Check and delete shadow copies

  After encryption, users delete files using the CMD command to make it difficult to recover them.

  
  [Figure 4 Check and delete shadow copies]

Infection results

The information file is created on the desktop with the name README_DECRYPT_HYDRA_ID_private key.txt, and when encryption is performed, <existing name.existing extension. The files are changed to hydracrypt_ID_private key>.

[Figure 5 Infection result 1]

[Figure 6 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

[Figure 8 Block message]

[Figure 9 Block message]

Watch HydraCrypt blocking video