June 15, 2022 at 2:14 PM
The ransomware operators have released a new version featuring improved encryption.
Security researchers note a surge in Hello XD malware activity. This ransomware was first discovered in November 2021. Hello XD is written in stolen Babuk ransomware source code and has been used in several double ransomware attacks. During these attacks, the attackers stole corporate data before encrypting the information on the victim's device.
The malware works quite simply: it encrypts the data and appends .hello to the end of the file name. For example, sample.jpg becomes sample.jpg.hello and 1.png becomes 1.png.hello. In addition, Hello XD generates a Hello.txt text file with a ransom note. Ransomware can infect computers on the local network and encrypt files created on the infected device after the attack.
According to a new report released by Division 42 of Palo Alto Networks, ransomware developers have created a new ransomware that includes both changes to the encryption method and a special package to avoid detection.
When Hello XD starts, it first tries to disable shadow copies to prevent easy system restore. It then encrypts the files and adds the .hello extension to the names of the files it creates. In addition to the ransomware payload, Hello XD operators run a backdoor called the MicroBackdoor. It is used to collect information about an infected system, delete files, execute commands remotely, and cover up traces.
The MicroBackdoor executable is hidden using the WinCrypt API and embedded in the ransomware payload.
Hello XD is dangerous ransomware in its early stages of development, slowly spreading in the wild. 42 division of Palo Alto Networks managed to trace him to the Russian-speaking hacker group X4KME. Considering the skills of attackers, Hello XD can become an extremely serious threat, so analysts will continue to actively monitor its development.
Security researchers note a surge in Hello XD malware activity. This ransomware was first discovered in November 2021. Hello XD is written in stolen Babuk ransomware source code and has been used in several double ransomware attacks. During these attacks, the attackers stole corporate data before encrypting the information on the victim's device.
The malware works quite simply: it encrypts the data and appends .hello to the end of the file name. For example, sample.jpg becomes sample.jpg.hello and 1.png becomes 1.png.hello. In addition, Hello XD generates a Hello.txt text file with a ransom note. Ransomware can infect computers on the local network and encrypt files created on the infected device after the attack.
According to a new report released by Division 42 of Palo Alto Networks, ransomware developers have created a new ransomware that includes both changes to the encryption method and a special package to avoid detection.
When Hello XD starts, it first tries to disable shadow copies to prevent easy system restore. It then encrypts the files and adds the .hello extension to the names of the files it creates. In addition to the ransomware payload, Hello XD operators run a backdoor called the MicroBackdoor. It is used to collect information about an infected system, delete files, execute commands remotely, and cover up traces.
The MicroBackdoor executable is hidden using the WinCrypt API and embedded in the ransomware payload.
Hello XD is dangerous ransomware in its early stages of development, slowly spreading in the wild. 42 division of Palo Alto Networks managed to trace him to the Russian-speaking hacker group X4KME. Considering the skills of attackers, Hello XD can become an extremely serious threat, so analysts will continue to actively monitor its development.
Beneath this mask there is more than flesh. Beneath this mask there is an idea, and ideas are bulletproof.
