View All R&D Articles

HDDCryptor Ransomware Infection And Decryption Services

December 1, 2016

HDDCryptor ransomware is a malicious software that targets Windows operating systems. When HDDCryptor infects a computer, the ransomware encrypts all of the computer’s files so that they are unreadable. The malware leaves a note that instructs the victim to pay a ransom to restore their files.

If HDDCryptor has infected your computer, you should turn it off, disconnect all media from it, and call at 1-800-237-4200. Our security specialists will start creating a plan to restore your files as soon as you call. Because retrieving backup copies can be time-sensitive, the sooner you call, the better the chance is that we can recover your files.

What is HDDCryptor Ransomware (And How Does It Work)?

HDDCryptor is a type of crypto-ransomware. When attackers find a way to install the malware on a victim’s computer, HDDCryptor encrypts the files on that computer and any network drives.

Encryption is a useful tool when used legitimately. It ensures that the information in a file remains accessible only to those with the decryption code. However, when crypto-ransomware encrypts files, the attackers withhold the decryption key until victims pay a ransom.

Paying the ransom should be a last resort for several reasons. For one, paying the assailants encourages and enables more attacks. Secondly, the payment process can take days for the attackers to verify, which means that the decryption code will be held for at least that long.

Even if the attackers attempt to send you the decryption code, there is an inherent possibility that there will be technical difficulties and your files will remain inaccessible. For these reasons, recommends users attempt to find backup copies of encrypted files and ignore the ransom note.

Notable Features of HDDCryptor Ransomware Include:

  • The ransom note demands $700 (as of writing) paid with bitcoin, a hard-to-trace cryptocurrency.
  • The ransomware targets files on network shares, which makes it particularly crippling to businesses.
  • HDDCryptor uses the open source software DiskCryptor to encrypt files.
  • The ransomware is also sometimes referred to by the name “Mamba”.

Attackers using HDDCryptor attacked San Francisco’s Municipal Transportation Agency on Black Friday of 2016. The attackers reportedly demanded $73,000 to restore the agency’s data. The SFMTA has not said if they paid the ransom or not. However, the successful attack of a major government organization shows that HDDCryptor is a real threat to both businesses and individuals that may have less robust virus protections.

How Does HDDCryptor Ransomware Infect My System?

HDDCryptor infects a computer when the user clicks on a malvertisement, or malicious advertisement. Malvertisements are the preferred way for criminals to attack computers. Criminals can place legitimate advertisements on a website until the site trusts them. Then the attackers place a malicious ad that is capable of hijacking a computer when someone clic ks on it.

Because most ransomware like HDDCryptor rely on the victim clicking on malicious links, computer users can avoid them. Never clicking on popup ads or unknown links in emails, even from known contacts, is a good rule of thumb for avoiding these types of malware.

Can I Disable or Remove HDDCryptor Ransomware Encryption?

Preventing its installation is the best defense against ransomware. However, if HDDCryptor has already installed itself on your computer, recovering backup copies is preferable to attempting to decrypt the files.

If HDDCryptor has infected your computer, time is of the essence. Quickly consulting professionals gives you the best chance at recovering your files. The malware experts at can determine if you have backup copies of encrypted files and decide the best way to recover them.

Call 1-800-237-4200 to begin restoring your unreadable files. Our malware experts will analyze your situation and start planning how to recover your information.