The HelloXD ransomware family surfaced in November 2021 with double-extortion tactics. However, the group is unique in the way that it doesn’t have a leak site; instead, it negotiates with the victim via onion-based messengers and TOX chats. HelloXD is now deploying a new sample that comes with improved encryption. 

Diving into details

Palo Alto Networks' Unit42 spotted similarities between HelloXD’s code and the leaked Babuk source code. 
  • The latest HelloXD samples deployed an open-source backdoor, named MicroBackdoor, which enables the operator to peruse the file system, download or upload files, delete traces, and execute commands. 
  • The backdoor is encrypted via WinCrypt API and embedded within the payload, which implies that it is dropped on the system right upon infection. 
  • The custom packer features a double obfuscation layer. The crypter is derived by modifying UPX. 
  • The most unique part of the second version of the ransomware is that it switches encryption algorithms from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.
  • Furthermore, the file marker in this version was changed to random bytes from coherent strings, resulting in powerful cryptography.

Why this matters

Although it is in development, HelloXD is a dangerous early-stage ransomware. Its infection volumes are not through the roof but its attacks are targeted, signifying the dangerous status it may achieve in the near future. The threat actor responsible for the malware, X4KME, appears to be technically capable as they have previously uploaded tutorials on deploying Cobalt Strike and others. Moreover, the implementation of MicroBackdoor indicates that the threat actor could monitor the progress and maintain a foothold in the infected systems. 

Some latest ransomware threats

  • Even the Cuba ransomware resurfaced with a new encryptor and a custom downloader. 
  • The DeadBolt ransomware group has resorted to multi-tiered extortion, in which it demands a ransom from both the vendor and the victims. 
  • YourCyanide, a new CMD-based ransomware, integrates Pastebin, Discord, and Microsoft documents as part of its payload download mechanism. 

The bottom line

Ransomware threats are expanding and evolving and the end is nowhere in sight. HelloXD might become a far bigger threat to organizations than it is now. Therefore, it is time to tighten your defenses and implement additional security measures to stay safe. 
Cyware Publisher