Published on February 04, 2016

Hydracrypt Ransomware Analysis

On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it’s certainly not less dangerous.

Antivirus Detection

Currently HydraCrypt ransomware is still undetected by every major Antivirus except QiHoo-360.

HydraCrypt Ransomware VT
HydraCrypt Ransomware Detection Rate on VirusTotal

So pay attention to spam emails if you’re running a traditional security software.

Hydracrypt Ransomware Behaviour

HydraCrypt ransomware doesn’t appear to use any kind of UAC bypass or privilege escalation of sort, indeed a UAC prompts soon after running the application.

HydraCrypt Ransomware Icon
HydraCrypt icon for our sample

As soon as the encryption process starts, HydraCrypt phones home and retrieves the ransomware image that will be shown later on, this is possibly a way for the authors to check on the infections and to update the email address shown when needed.

HydraCrypt Ransomware Calling Home
HydraCrypt Ransomware Calling Home

We’ve only identified one domain called during our tests that is: The image last modification date gives an indication that this ransomware is active at least since the 28th of January 2016. While the call to home takes place, the encryption process begins, the amount of resources encrypted is vast and it includes basically every extension with the exclusion of system files like .exe, .dll and .sys. Even the recycle bin content and system backups are encrypted:

HydraCrypt Ransomware Encryption
HydraCrypt Ransomware Encryption process and behavioural tree

After the encryption process is completed, the usual Ransom screen appears with instructions on how to decrypt the data.

HydraCrypt Ransomware Screen
HydraCrypt Ransomware Screen

The decryption process requires an external application, an approach similar to other ransomware like Chimera, only this time you’ll have to manually contact the authors, failure to do so will cost your data and apparently the authors are threatening to also sell your documents on the “Dark Markets”. At this point HydraCrypt calls home again communicating to the server the ID of the current infection.

HydraCrypt Ransomware Encryption Done
HydraCrypt Ransomware Encryption Done

What’s interesting, other than the fact that the malware appears to be written in MFC, is that a big section of it is clearly obfuscated with what appears to be something similar to MoVfuscator.

HydraCrypt Ranwomare Obfuscation
HydraCrypt Ranwomare Obfuscation

About 49% of the whole code is in fact just MOVs. We didn’t yet attempt any deobfuscation on that part of the code.


All of our customers using ReaQta-core are already protected and no updates are required, the A.I. engines correctly detect and block the infection attempt, additionally any data policy already in place will provide further protection against this or any other ransomware family.

HydraCrypt Ransomware Detection
HydraCrypt Ransomware Detection

Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!