Elaine Jean Tech 06.13.2022 02:Jun AM EDT

Hello XD Ransomware Increases Activity, Has a New Encryptor That will Help Avoid Detection

As recently detected, Hello XD ransomware activities have been increasing in numbers lately.

Security researchers note a noticeable upsurge in the ransomware known as Hello XD's activities. The malware's operators are now launching an improved sample that features greater encryption.

This particular ransomware was discovered for the first time in November 2021. It was based on the stolen source code of Babuk and participated in a limited number of double-extortion assaults. During these attacks, the threat actors acquired corporate data before encrypting devices.

Hello XD Ransomware

As reported by PCrisk, the files are rendered inaccessible by Hello XD, which encrypts them and appends .hello to the end of their file names. For instance, sample.jpg becomes sample.jpg.hello, and 1.png becomes 1.png.hello. Additionally, Hello XDD will generate a text file with the name Hello.txt that will contain a ransom note.

In an event where users are being exploited by this Hello XD ransomware, if victims have a data backup or access to a free or third-party decryption tool, they may be able to recover files encrypted by the ransomware without having to purchase tools from the hackers who created the ransomware.

It is strongly advised that users should not pay cybercriminals in ransomware exploitation since there is no guarantee that they will be able to deliver a decryption tool.

It is possible for ransomware to infect computers that are part of a local network and/or encrypt newly created files on the device that has been attacked. Because of these factors, removing ransomware as quickly as possible is something that comes highly recommended.

According to a new report published by Palo Alto Networks Unit 42, the creator of the malicious software has developed a new encryptor that incorporates both changes to the encryption method as well as bespoke packing in order to escape detection.

How They Work Now

The authors of the malware have included a link to an onion site in the ransom letter in the most recent version. However, Unit 42 reports that the site is offline, and it is assumed that the site might be under construction.

According to BleepingComputer, when Hello XD is run, it first tries to turn off shadow copies in order to hinder easy system recovery. After that, it encrypts files and adds the.hello extension to the file names it creates.

In addition to the ransomware payload, Hello XD operators were utilizing an open-source backdoor called MicroBackdoor in order to explore the infected system, remove files, carry out commands, and delete traces.

This MicroBackdoor executable is hidden from view by encrypting it with the WinCrypt API and embedding it into the ransomware payload. As a result, it gets downloaded onto the target system as soon as the system is compromised.

Hello XD is a dangerous early-stage ransomware project that is currently being deployed in the field at this time. Even while its infection volumes aren't large as of yet, its active and targeted development provides the framework for a more harmful status in the future.

Unit 42 was able to trace its roots back to a Russian-speaking threat actor who used the alias X4KME and provided online lessons on how to deploy Cobalt Strike Beacons and malicious infrastructure.

In general, the particular threat actor appears competent enough and in a position to advance Hello XD, which is why analysts need to actively monitor its progression.