Hollycrypt is the name for yet another ransomware cryptovirus that is based on HiddenTear. Each encrypted file will have the extension .Hollycrypt appended to it. It uses the AES encryption algorithm and wants Bitcoins or Vodka as payment. To see how to remove the ransomware and how you can try to restore your files, read the article to the end.
|Short Description||The ransomware will encrypt your files and then display a ransom note with instructions for payment.|
|Symptoms||All encrypted files will get the extension .Hollycrypt appended to them.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Hollycrypt |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Hollycrypt.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Hollycrypt Virus – Distribution
The Hollycrypt ransomware could enter your personal computer in a couple of ways. The payload file could be spread via spam emails. The spam emails usually have an attached file and are written in a way to make you feel that they are urgent including the file they contain. If you open the attachment, it will release the malicious script from the file and infect your PC.
Hollycrypt ransomware could infect your computer device by using other methods. The malware creators might be distributing their payload file via social media and file-sharing platforms. Do not open files from suspicious emails, links or an unknown source. Before opening, you should always scan the files with a security tool and check its size and signatures. You should read the ransomware prevention tips from the topic in the forum.
Hollycrypt Virus – More About It
The Hollycrypt is a cryptovirus that was found in the wild by the malware researcher Michael Gillespie. The ransomware is based on the popular HiddenTear / Eda2 open-source project.
Your files get encrypted and will all have the extension .Hollycrypt being appended to every one of them after the encryption process is finished. The instructions with demands for payment are written in a file put on your system, inside folders with encrypted files.
When the Hollycrypt ransomware executes its payload, it can create entries in the Windows Registry. That can make the ransomware more resilient, and it could put it in different locations on your computer machine. Also, the registry entries might make the cryptovirus launch automatically with each boot of the Windows operating system.
You can view a screenshot of the file containing the ransom message right here:
The ransom note is located inside a file called Read_this_shit.txt. It reads the following:
Your Files has been encrypted with Hollycrypt
Send me some bitcoins or Vodka, Then I will email with an antidote
(>,<), Email: [email protected]
You are asked to pay in Bitcoins or Vodka. The email [email protected] is used as a contact with the crooks. The amount in Bitcoins varies from 0.5 to 1.5 Bitcoins – the same goes for the Vodka. You should NOT think of paying anything as you will only end up supporting criminals. No one can guarantee that by paying, you will recover your files to what they were before the encryption. Also, the cybercriminals will probably use the money for creating new ransomware (or buy tons of Vodka).
The Hollycrypt ransomware will encrypt files and append the .Hollycrypt extension to all of them. Currently, a list with file extensions which the ransomware searches to encrypt is not available. The majority of files should be pictures and documents.
The Hollycrypt virus is quite likely to delete the Shadow Volume Copies from the Windows operating system by using the following command:
→vssadmin.exe delete shadows /all /Quiet
Continue reading to see what kind of ways you can try to restore some of your files.