HydraCrypt and UmbreCrypt are the two new Ransomware variants from the CrypBoss Ransomware family. Once successful in breaching your PC security, HydraCrypt and UmbreCrypt can lock your computer and deny access to your own files. The files infected would have unknown extensions and you will see a pop up demanding payment for decrypting your files. But there is some good news! Recently released Emsisoft Decrypter is offering a solution – in case you have been infected with HydraCrypt and UmbreCrypt ransomware infections.
Emsisoft Decrypter has its roots from Fabian Wosar research while he was analyzing CrypBoss Ransomware whose source code was leaked on pastebin last year. Being able to find a flaw in the source code, Fabian released a decrypter for CrypBoss last year. Although HydraCrypt and UmbreCrypt has different encryption scheme, the original research gave birth to Decrypter for HydraCrypt and UmbreCrypt Ransomware as well.
HydraCrypt and UmbreCrypt Ransomware
Both HydraCrypt and UmbreCrypt, work on the same functionality that involves encrypting files based upon their file extension using a strong asymmetric encryption methodology. Both ransomware programs install third party attacking software on the infected machine, deleting the shadow copy of the files and in the process making it impossible to restore them.
The only notable difference between the two ransomware is the way they show up the threat to the victim.
- If your PC is infected with Hydracrypt Ransomware, you are likely to get a pop up giving you a warning of 72 hours to pay the ransom.
- UmbreCrypt follows almost a similar script as Hydracrypt asking the victim to process to send an email to one of two addresses -“UmbreCrypt @engineer.com” and “UmbreCrypt @consultant.com”. In case of Hydracrypt, the victim had to contact Xhelper@dr.com or email@example.com.
Once the email is sent, someone from UmbreCrypt team responds with the ransom amount. As shown above, attackers have even provided the email format, warning victims against sending any emails with threats or rudeness.
Read: How to prevent Ransomware.
Recovering files with Emsisoft Decrypter
Emsisoft Decrypter is a freeware that can recover encrypted files. To start with the decryption process, the application first has to determine the correct decryption key for the system. Here is a short step by step process describing the same:
Step 1: Locate any encrypted file on your system, where you have the original unencrypted version of the file as well. If you can’t find such pair of files, look for an encrypted PNG file and get any random PNG image from the internet.
Step 2: Select both the files, and drag and drop them onto the decrypter executable. Ensure that both files are dragged and dropped at the same time.
Step 3: The Emsisoft decrypter then tries to determine the encryption key for your system based on the two files that were provided. This process can be rather time consuming and depending on your CPU and system can take up to several days.
Step 4: Once the decryption key is determined, you will get a pop up message.
Step 5: Just click OK, and the Emsisoft decrypter will start the process. Ensure that you drag and drop the correct files else you may get an error message. If you did, you may have either been targeted by a completely different malware family or by a new variant that this decrypter doesn’t support yet. All folders you add to the folder list will be decrypted recursively, which means files located in the sub-folders of the selected folder will be decrypted as well.
It is suggested to try the Decryter on a limited number of files and see the effect before going for the bulk of files. Also, victims should note that Emsisoft decrypter has a defect wherein the final 15 bytes of each encrypted file are damaged irretrievably. Some of these files can be repaired easily by just opening and saving the files. For other file formats there may be dedicated repair and recovery tools available.
Decrypter users are advised to ensure that the hard disk has enough space before decryption is started. The reason being, that since the decrypter is not sure if the result of the decryption would be ideal, it doesn’t delete the encrypted files and thus occupies additional space on the disk with recovered files.
Click here to download Emsisoft Decrypter for HydraCrypt and UmbreCrypt Ransomware.