HildaCrypt Ransomware - How to remove

The Hilda (HildaCrypt, HILDA!) is another virus that locks personal files and hopes that you pay to get them unlocked. This behavior is criminal and in no way are you obliged to pay them. The ones who do are people desperate to get their files back — their photos, projects, months or even years of work that a single file-locker like Hilda can completely ruin.

How Hilda infects computers

HildaCrypt ransomware is caught by most professional antivirus programs now, but it wasn’t a few days ago when it was just discovered — this shows how important it is to allow your security software to update as often as it wants. But even when it’s detected, Hilda could find a way around that, especially if your computer doesn’t have real-time protection.

Since this virus is new, there is almost no information on how Hilda is distributed. It’s probably a few of the usual ways that ransomware spreads:

• Malicious email spam with the infected files sent as attachments.
• Infected installers downloaded from shady websites.
• Fake warnings about needed updates and similar, like this “Update your Flash Player…” pop-up.
• Bad ads that download malware by exploiting known security holes in outdated software, like was done by Matrix, Seon, Eris, and other file lockers.
• Installed by connecting through RDP or other remote access software.

There are so many ways that ransomware spreads that anyone could become a victim, no matter how careful they are. But it is still worth being careful and teaching those around you to be careful. If you know how Hilda infected you, you might want to report it (like on id-ransomware.malwarehunterteam.com) and tells others about it.

The harm of HildaCrypt ransomware is severe and this virus should be removed as quickly as it’s discovered:

Symptoms of HildaCrypt ransomware	Files don’t open. Files are renamed with the .hilda! suffix. The file “read_it.txt” is left in multiple folders.
Principle of the attack	HildaCrypt infects the computer. Files are encrypted with a secret password. Money is demanded in exchange for the password.
How to remove HildaCrypt	Use anti-malware tools (Spyhunter) to automatically remove malicious programs. Restore the files.
How to fix the files	Restore from backups. Use System Restore. Use data recovery.

 

What is Hilda ransomware

The virus attaches the “.Hilda!” extension to the name of each file, but its effect goes a lot deeper. Even if you change the name of the file, it won’t work.

In theory, there is a way to fix those files — but the criminals want some money in exchange. For that, they create a ransom note called “read_it.txt” and place it in various folders on your computer. The files contain this text:

—+ HILDACRYPT v1.0 +—

All the files on this computer have been encrypted with a RSA-4096 + AES-256 cryptographic combination. These algorithms are used by the NSA and other top tier organisations.

Backups were encrypted, and shadow copies were removed. So F8 or any other methods may damage encrypted data and make it unrecoverable.

We exclusively have decryption software for your situation.
More than a year ago, world experts have recognized the impossibility of decrypting by any means without the original decryptor.
NO decryption software is available to the public.
Antivirus companies, researchers, IT specialists, and no one else can help you recover your data.

DO NOT RESET OR SHUTDOWN – file may be damaged.
DO NOT DELETE readme files.txt
DO NOT REMOVE OR RENAME the encrypted files.
This may lead to the impossibility of your files being recovered.

To confirm our honest intentions, send us 2 different files and you well get them decrypted. They must not contain any sensitive information and must not be archived.

To get info (decrypt your files) contact us at:
[email protected]
or
[email protected]

You well receive a BTC address for payment in the reply letter.

HILDACRYPT

No loli is safe 🙂 — hxxps://www.youtube.com/watch?v=XCojP2Ubuto

This note has a lot of text that’s meant to intimidate the victim.

For example, they claim that attempting to recover the data using System Restore and similar methods might damage the corrupted files which could discourage people from looking for ways to recover their data. It’s true that editing the corrupted files might make them undecryptable but you can simply copy those files and save them on a backup.

The Hilda extortionists then dramatically claim that it’s impossible to break the encryption — this actually isn’t known. A small number of new ransomware infections receive researcher attention and have decrypters developed and released. Of course, if Hilda did implement encryption properly, it won’t be broken.

The claim of these criminals that the encryption is in some way special is wrong. In fact, you can encrypt your own files with a password if you want to hide their content from someone else without hiding the file itself. Encryption is used all the time to anonymize online banking and personal messages.

Then the criminals insist that you don’t reset or shut down your computer, which is something that a lot of tech support scams and other completely fake security warnings say in order to stop the victim from researching the problem. Usually, shutting down the computer wouldn’t do any harm. The virus can’t do any harm when the computer is off.

Finally, Hilda’s creators ask for Bitcoin. While cryptocurrency is not inherently unsafe, criminals use it a lot because of the freedom and anonymity that it offers. Whether they will actually send you the fix for the files after they receive their money isn’t certain — there is no mechanism in Bitcoin that would force them to return the money if they failed to deliver.

How to remove Hilda

It’s necessary to remove the virus before using the computer normally again. You can use Spyhunter or another reputable antivirus tool. There could be some difficulty getting rid of Hilda but if you kill the interfering processes or use Safe mode, you should be able to take care of the situation. In the worst case, you might need to connect the infected drive to another computer as removable media and scan it from there.

The files that Hilda encrypted are not dangerous and don’t need to be deleted when removing the virus. If you hope for a decryption solution, keep an eye on nomoreransom.org (that’s where various free and universal decrypters that security researchers release are announced) and store the encrypted files somewhere safe. You can also delete them if you want.

Edit: Emsisoft released a decrypter after the developers of the ransomware published the keys. After removing the ransomware, use the decrypter to recover your files.

Automatic Malware removal tools

How to recover HildaCrypt Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Hilda! Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of HildaCrypt Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Hilda! Ransomware. You can check other tools here.  

Step 3. Restore HildaCrypt Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Hilda! Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover HildaCrypt Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.