HelloXD ransomware bulked up with better encryption, nastier payload

Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

"While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

"This threat actor is well known on various hacking forums, and seems to be of Russian origin. Unit 42 was able to uncover additional x4k activity being linked to malicious infrastructure, and additional malware besides the initial ransomware sample, going back to 2020."

The analysts wrote that the malware author, or authors, are "now expanding into the ransomware business to capitalize on some of the gains other ransomware groups are making."

This comes as that both the ransom demands and the ransoms paid are increasing – a 144 percent year-to-year increase in demanded ransom in 2021, reaching about $2.2 million, while the average ransom paid jumped 78 percent between 2020 and 2021, to $541,010 – according to Unit 42's latest annual ransomware report. The incidence of stolen data being released publicly climbed 85 percent year-over-year, the report found.

The ransomware family is based on the Babuk (or Babyk) source code that was leaked on a Russian-language forum in September 2021. The group runs double extortion campaigns, exfiltrating the corporate data before encrypting it. Rather than threatening to release the files on a public leak site if the ransom isn't paid, the attackers instead directs victims to negotiate via the aTox chat service.

However, in the newer variants, the ransomware note also links to an onion domain for messaging. That said, the researchers wrote that as of now, the onion site is down, which could mean that it's currently under construction.

"The ransomware creates an ID for the victim which has to be sent to the threat actor to make it possible to identify the victim and provide a decryptor," they wrote. "The ransom note also instructs victims to download Tox and provides a Tox Chat ID to reach the threat actor. Tox is a peer-to-peer instant messaging protocol that offers end-to-end encryption."

Other ransomware groups, including those using LockBit 2.0, also use Tox Chat to communicate, they noted.

A key change to the latest version of Hello XD is the change in encryption algorithm. Unit 42 researchers wrote that they have seen two publicly available versions of HelloXD, an indication that the code is still under development. The first version uses Curve25519-Donna and a modified HC-128 algorithm to encrypt data in the files and is the least modified of the two versions from the original Babuk code.

In the most recent version – dubbed by Unit 42 as HelloXD version 2 – they changed the encryption algorithm, exchanging the modified HC-128 with the high-speed Rabbit symmetric cipher, also along with Curve25519-Donna. In addition, the developer changed the file marker, from a coherent string to random bytes.

"Both versions have been compiled with the same compiler (believed to be GCC 3.x and above based on the mangling of export names), resulting in very similar exports between not only the ransomware variants, but also other malware that we have linked to the potential author," the researchers wrote.

• What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
• Emotet malware gang re-emerges with Chrome-based credit card heistware
• Costa Rican government held up by ransomware … again
• Healthcare organizations face rising ransomware attacks – and are paying up

The most significant change between the two version was the introduction of the additional payload within version 2 that is a variant of the open-source MicroBackdoor and is encrypted with the WinCrypt API. The malware enables an attack to browse through the compromised file system, upload and download files and remote code execution (RCE). The malware also can remove itself from the system. The fact that the backdoor is delivered with the ransomware also is unusual.

"As the threat actor would normally have a foothold into the network prior to ransomware deployment, it raises the question of why this backdoor is part of the ransomware execution," they wrote. "One possibility is that it is used to monitor ransomed systems for blue team and incident response (IR) activity, though even in that case it is unusual to see offensive tools dropped at this point in the infection."

The researchers were able to see a hardcoded IP address that was used as the command-and-control (C2) to accelerate their hunt for the probable bad actor behind HelloXD. Through the IP address, they were able to see an email address that they linked to other domains and continued to follow the breadcrumbs through other malicious IPs, VirusTotal graphs and additional infrastructure and malware hosted on other domains, many of which used the x4k name.

The path followed through various graphs to a GitHub account, Russian-language hacking forums, other sites that referred to x4k and other aliases – such as uKn0wn – seen in the HelloXD samples. That was followed by the discovery of other GitHub accounts, another alias (Ivan Topor) and a YouTube account with another alias (Vanya Topor) that linked to videos in which the miscreant showed how he performed particular actions.

"The videos found gave us insight into x4k operations before moving into ransomware activity specifically," the researchers wrote. "We learned how this threat actor leverages Cobalt Strike for his operations, including how to set up Beacons as well as how to send files to compromised systems. In one of the videos, we actually observed the threat actor performing a DNS leak test on his Android phone."

The bad actor also often alluded to a "ghost" theme, similar to what the researchers saw in some earlier HelloXD ransomware samples. Most of the videos and written content are in Russian. Given that and some mistakes that he made convinced Unit 42 that the x4k is from Russia. ®