Emsisoft Decrypter for HydraCrypt and UmbreCrypt Ransomware

Discussion in 'Emsisoft' started by Av Gurus, Feb 15, 2016.

  1. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    Testing security programs
    Windows 10
    Fabian Wosar of Emisoft has done it again with his release of a decrypter for the HydraCrypt andUmbreCrypt ransomware infections. Both of these infections are part of the CrypBoss Ransomware family, whose source code was leaked on pastebin last year. When analyzing this source code, Fabian had found a flaw that allowed him to release a decrypter last year for this family of infections. Though HydraCrypt and UmbreCrypt have since modified the encryption scheme, Fabian was still able to utilize the original flaw to crack these variants as well.

    Decrypting UmbreCrypt and HydraCrypt
    If you are infected with this malware, simply download decrypt_hydracrypt.exe from the following link and save it on your desktop:


    In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_hydracrypt.exe icon at the same time. So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable. If you do not have an an original version of one of your encrypted files, in our tests you can use a encrypted PNG file and any other unencrypted PNG file that you get off of the Internet and drag them together onto the decrypt_hydracrypt.exe icon. Once you determine the key used to encrypt one of your files, you can then use that key to decrypt ALL other files on your computer.

    To show what I mean about dragging both files at the same time, see the example below. To create the key, I created a folder that contains an encrypted PNG file, a totally different valid PNG file, and the decrypt_hydracrypt.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.

    How to drag the files onto the Decrypter

    When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.

    UAC Prompt
    When a key was able to be brute forced, it will display it an a new window like the one below. Please write down this key in the event you need it again in the future.

    Decryption Key Found

    To start decrypting your files with this key, please click on the OK button. You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main DecryptInfinite screen that displays all the encrypted files that were listed in the Registry.

    Look through the list of encrypted files and if it appears that they are all there, then click on the Decrypt button. If there are files missing, you can click on the Add Folder button to add other folders that contain encrypted files. Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin the decryption process. Once you click Decrypt, DecryptInfinite will decrypt all the encrypted files and display the decryption status in a results screen like the one below.

    Decryption Results
    All of your files should now be decrypted.

    For those who wish to know more technical information about this ransomware, you can read our analysis of UmbreCrypt here. If you need help getting this decrypter to work, please ask in our UmbreCrypt Ransomware Support Topic.

    SOURCE: Emsisoft Releases a Decrypter for HydraCrypt and UmbreCrypt Ransomware
  2. Tornado

    Tornado New Member

    Nov 22, 2015
    OokamiCreed, bob974, maximus and 6 others like this.
  3. LabZero

    LabZero Guest

    Yes, as someone said, this is a game of chess!
    mehdi.n, OokamiCreed, Moose and 8 others like this.
  4. Umbra

    Umbra From Emsisoft

    May 16, 2011
    Community manager
    Vietnam & France
    Windows 10
    damn they found out about my cryptor :p
    mehdi.n, Moose, bob974 and 10 others like this.
  5. kev216

    kev216 Level 18
    Content Creator Trusted

    Aug 6, 2014
    Windows 10
    They guys at Emsisoft did it again :)
    mehdi.n, OokamiCreed, Moose and 5 others like this.
  6. Rishi

    Rishi Level 19

    Dec 3, 2015
    Windows 10
    Don't forget to disinfect/save data and clean install after salvaging the important files!
    frogboy, mehdi.n, OokamiCreed and 5 others like this.
  7. Der.Reisende

    Der.Reisende Level 32
    Trusted AV Tester

    Dec 27, 2014
    Tax Officer
    Windows 10
    Yeah, was thinking about that joke when I first read the heading :D
    Ok, back to topic: Nice work EmsiSoft :) That Fabian Wosar is really a boss :)
    mehdi.n, OokamiCreed, Moose and 3 others like this.
  8. upnorth

    upnorth Level 11

    Jul 27, 2015
    This thread should be Sticky!
    mehdi.n, Der.Reisende and Rishi like this.
Similar Threads Forum Date
Update Emsisoft Decrypter Tools 02/26/2017 Emsisoft Feb 27, 2017
Emsisoft Website Hit by DDoS Attack as Company Releases Ransomware Decrypter News Archive Jan 30, 2017
Emsisoft Decrypter Tools Emsisoft Apr 24, 2016