HelloXD ransomware got improved encryption • The Register

Windows and Linux systems are attacked by new HelloXD ransomware variants that include stronger encryption, improved obfuscation, and an additional payload that allows threat groups to modify compromised systems, exfiltrate files, and execute some orders.

The new features make the ransomware, first detected in November 2021 — and the developer behind it even more dangerous — according to researchers from Palo Alto Networks’ Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its early stages, but is working hard to track down the perpetrator.

“Although the ransomware feature is not new, during our research, following the lines, we discovered that the ransomware is most likely developed by a malicious actor named x4k,” the researchers wrote in a blog post. .

“This threat actor is well known on various hacking forums and appears to be of Russian origin. Unit 42 was able to uncover additional x4k activity related to malicious infrastructure and additional malware in addition to the initial ransomware sample , dating back to 2020.”

The analysts wrote that the malware author or authors are “now expanding into the ransomware industry to capitalize on some of the gains made by other ransomware groups.”

This comes as both ransom demands and ransoms paid are increasing – a 144% year-over-year increase in the ransom demanded in 2021, reaching around $2.2 million, while the average ransom paid has jumped 78% between 2020 and 2021, to $541,010. — according to Unit 42’s latest annual ransomware report. The incidence of stolen data being made public has increased by 85% year-over-year, according to the report.

The ransomware family is based on the Babuk (or Babyk) source code that was leaked on a Russian-language forum in September 2021. The group runs dual extortion campaigns, exfiltrating company data before encrypting it . Rather than threatening to post the files on a public leak site if the ransom is not paid, the attackers instead ask victims to negotiate via the aTox chat service.

However, in newer variants, the ransomware note is also tied to an onion domain for email. That said, the researchers wrote that as of now, the onion site is down, which could mean it’s currently under construction.

“The ransomware creates an ID for the victim which must be sent to the threat actor to help identify the victim and provide a decryptor,” they wrote. “The ransom note also instructs victims to download Tox and provides a Tox chat ID to reach the threat actor. Tox is a peer-to-peer instant messaging protocol that offers end-to-end encryption.”

Other ransomware groups, including those using LockBit 2.0, also use Tox Chat to communicate, they noted.

A key change in the latest version of Hello XD is the change in encryption algorithm. The Unit 42 researchers wrote that they had seen two publicly available versions of HelloXD, indicating that the code is still under development. The first version uses Curve25519-Donna and a modified HC-128 algorithm to encrypt data in files and is the least modified of the two versions of the original Babuk code.

In the most recent version – dubbed by Unit 42 as HelloXD version 2 – they changed the encryption algorithm, swapping the modified HC-128 with the high-speed Rabbit symmetric cipher, also with Curve25519-Donna. Also, the developer changed the filemarker from a consistent string to random bytes.

“Both versions were compiled with the same compiler (assumed to be GCC 3.x and higher based on changed export names), resulting in very similar exports not only between ransomware variants, but also other malware to which we have linked the potential perpetrator,” the researchers wrote.

The biggest change between the two versions was the introduction of the additional payload in version 2 which is an open-source MicroBackdoor variant and is encrypted with the WinCrypt API. The malware allows an attack to browse the compromised file system, upload and download files, and perform remote code execution (RCE). The malware can also remove itself from the system. The fact that the backdoor comes bundled with the ransomware is also unusual.

“As the threat actor would normally have a foothold in the network before the ransomware was deployed, this raises the question of why this backdoor is part of the ransomware execution,” they wrote. “One possibility is that it is being used to monitor ransomware systems for Blue Team and Incident Response (IR) activity, although even then it is unusual to see offensive tools dropped at this stage of infection.”

The researchers were able to see a hard-coded IP address that was used as command and control (C2) to speed up their hunt for the likely bad actor behind HelloXD. Through the IP address, they were able to see an email address that they linked to other domains and continued to follow breadcrumbs through other malicious IP addresses, VirusTotal charts, and infrastructure additional and malware hosted on other domains, many of which used the name x4k.

The path followed various graphs to a GitHub account, Russian-language hacking forums, other sites referencing x4k, and other aliases – such as uKn0wn – seen in the HelloXD examples. This was followed by the discovery of other GitHub accounts, another alias (Ivan Topor) and a YouTube account with another alias (Vanya Topor) linked to videos in which the miscreant showed how he performed particular actions.

“The videos found gave us insight into x4k operations before moving specifically to ransomware activity,” the researchers wrote. “We learned how this threat actor leverages Cobalt Strike for their operations, including how to set up beacons as well as how to send files to compromised systems. In one of the videos, we actually observed the threat actor from the threat perform a DNS leak test on their Android Phone.”

The bad actor also often hinted at a “ghost” theme, similar to what researchers have seen in some earlier HelloXD ransomware examples. Most videos and written content are in Russian. Given this and some mistakes he made, Unit 42 was convinced that the x4k was from Russia. ®

Comments are closed.