HollyCrypt Virus - How To Remove?

Type: Ransomware
Other names: HollyCrypt ransomware

Every once in a while, ransomware viruses are created not only for encryption, profit and other awful stuff, but to entertain the creators. There is a comical aspect involved in the variant called HollyCrypt. In the ransom note, this crypto-ransomware demands bitcoins or vodka, whichever the infected victim feels more appropriate. In fact, both of these options are ridiculous and should not even be considered. You do not wish to provide the fuel for further entertainment. The crafted ransom letter should not even be called a letter: it is more of a note that your mom would leave on the fridge. Laconic instructions do not go into great details about encryption or decryption. Everything is promised to be explained after contacting the left email address: hollyman137@gmail.com. The creators won’t be restrained or shy and will inform victims about the amount of bitcoins or the number of vodka bottles that are necessary for decryption. However, even if some elements about this infections are funny, the main purpose of ransomware viruses sustains. Security researchers believe that this ransomware virus will delete Shadow Volume Copies that sometimes help victims restore older versions of their files.

About HollyCrypt virus

The features that are common to HollyCrypt virus are not going to sound fresh to someone who was unlucky enough to encounter and familiarize with a ransomware infection before. Since ransomware awareness is attempted to be raised, you might have read an article about these infections. Sadly, usually there is nothing novel or exciting to report about these lowlife viruses. They take advantage of the same over utilized strategy and experiment with other elements to spice it up a bit. For instance, HollyCrypt virus is definitely not a highly unique variant of ransomware. It has a couple peculiarities like the humorous ransom note, but other aspects seemed to have been done in an ordinary manner. It slips into users’ computers, invades their settings and encrypts files. Of course, these objectives are divided into smaller goals.


HollyCrypt virus, a dirty ransomware variant, will modify users’ Windows Registry Keys and run a scanning process to find data for encryption. The targeted extensions reach impressive numbers and HollyCrypt virus will probably choose from a big pile of them. Once the files are sorted out and the casualties are selected, the encryption process begins. Ransomware will mark the data it touched with its hand of death: .Hollycrypt extension.

How is HollyCrypt Distributed?

HollyCrypt virus will exploit the already known methods for distribution. This means that it will attempt to design email letters that are addressing extremely pressing matters. Once users receive letters that are describing important topics, they will feel rushed to find out more. If such topical letters end up in your inbox, check the source. Even if crooks efforts are put into generating messages that are triggering, they won’t be able to copy the official email address of a specific company/person. Very frequently, infectious email letters give themselves away by being sent from ridiculous addresses. Another aspect that should create immediate suspicion is that such messages contain attachments (these files are the payloads of ransomware viruses).

How to Decrypt Files Encrypted by HollyCrypt virus?

The puzzle of HollyCrypt virus has not been solved yet. We are sure that security researchers are using their powers to create a reliable tool for decryption. Until then, you should not contact the hackers. This will lead to an unnecessary conversation with crooks that won’t end up with positive results. The specific amount of this ransomware has not been announced, but it is presumably similar to demands from other similar viruses. Users often are concerned: is there a way to be completely ransomware-free? You can be immune to these threats by storing your files in backup storages or keeping copies in other secure places (like, USB flash drives). The removal of HollyCrypt virus should be done with appropriate tools. For example, Reimage, Spyhunter or Hitman can automatically eliminate it.

How to recover HollyCrypt virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before HollyCrypt ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of HollyCrypt virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to HollyCrypt ransomware. You can check other tools here.

Step 3. Restore HollyCrypt virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually HollyCrypt ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover HollyCrypt virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


About the author

 - Main Editor

I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

November 9, 2016 06:31, January 2, 2017 07:27

Leave a Reply

Your email address will not be published. Required fields are marked *