HelloXD Ransomware

HelloXD Ransomware

Introduction: HelloXD ransomware made its debut in late 2021, deriving its functionality from the leaked source code of Babuk. Functionally similar to its predecessor, HelloXD is openly sold and advertised in Russian marketplaces. Campaigns involving HelloXD have been observed in conjunction with MicroBackdoor, an open-source backdoor/C2 tool.

Targets: HelloXD ransomware predominantly targets organizations in critical sectors, including healthcare, education, financial services, and government.

Propagation: HelloXD is deployed through various means, employing Cobalt Strike or a similar framework and email phishing as primary methods of distribution.

Technical Details:

  • Contact and Communication: Upon infection, victims are directed to contact the attacker(s) via Tox Chat for further instructions.
  • Anti-Recovery Measures: HelloXD attempts to hinder recovery efforts by deleting Volume Shadow Copies (VSS) on the infected system.
  • Backdoor Tool: MicroBackdoor, an open-source backdoor, is associated with HelloXD campaigns, providing attackers with RAT (Remote Access Trojan)-like capabilities.
  • Packer Usage: HelloXD payloads use customized packers, including modified versions of UPX and a bespoke packer, to evade detection.
  • Encryption Algorithm: The encryption method in HelloXD has undergone several adjustments by the author. Contemporary versions utilize the Rabbit cipher.

Detection Strategies: EDR is effective in identifying and preventing malicious activities related to HelloXD ransomware. For those without this platform, a multi-layered approach is recommended:

  1. Security Tools:
    • Employ anti-malware software or security tools capable of detecting and blocking known ransomware variants using signatures, heuristics, or machine learning algorithms.
  2. Network Traffic Monitoring:
    • Regularly monitor network traffic to identify indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct periodic security audits and assessments to identify vulnerabilities in the network and ensure that all security controls are effective.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices, emphasizing the identification and reporting of suspicious emails and other threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in case of an attack.

Mitigation Measures: For EDR customers, the EDR can return systems to their original state using either the Repair or Rollback feature. For those without EDR , the following steps can help mitigate the risk of HelloXD ransomware attacks:

  1. Employee Education:
    • Train employees on ransomware risks, phishing email identification, and the avoidance of malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish regular BDR processes, testing backups stored offsite for quick recovery.

A comprehensive approach, incorporating preventive measures, employee education, and recovery strategies, is essential for effectively mitigating the risk of HelloXD ransomware attacks.

Cyber Threat Overview: Hive Ransomware

Introduction: Hive ransomware, emerging in June 2021, is characterized by its aggressive and rapid Ransomware-as-a-Service (RaaS) campaigns. Practicing double extortion, Hive demands payment for a decryptor and the non-release of stolen data. Known for targeting healthcare and education organizations, Hive operations were disrupted by the United States Department of Justice in January 2023, only to reemerge as ‘Hunters International’ in October 2023.

Targets: Hive ransomware casts a wide net, targeting diverse industries, including healthcare, finance, retail, energy, and manufacturing.

Propagation: Hive ransomware is deployed through various methods, including Cobalt Strike or similar frameworks, email phishing, and exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services. The actors behind Hive demonstrate proficiency in advanced Multi-Factor Authentication (MFA) bypasses and exploit vulnerabilities such as CVE-2020-12812 (FortiOS) and CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 (Microsoft Exchange).

Technical Details:

  • Initial Access: Hive actors gain access through various means, exploiting single-factor logins via RDP, VPNs, and other network connection protocols. MFA bypass and exploitation of CVE-2020-12812 for FortiOS servers are also common.
  • Pre-Deployment Preparation: Custom pre-deployment PowerShell and BAT scripts prepare the environment. Tools like ADFind, SharpView, and BloodHound are employed for Active Directory enumeration, while password spraying is done with SharpHashSpray and SharpDomainSpray.
  • Cobalt Strike Usage: Hive operators employ Cobalt Strike, with various identified loaders, for reconnaissance and lateral movement within the victim’s network.
  • Encryption Process: Hive executes a rapid and noisy full drive encryption, removing Volume Shadow Copies to inhibit system recovery. The Rabbit cipher is used in contemporary versions.
  • TOR-Based Payment Portal: Victims are directed to a TOR-based payment and support portal for ransom payment.

Detection Strategies: EDR is effective in identifying and preventing malicious activities related to Hive Ransomware. For those without this platform, a multi-layered approach is recommended:

  1. Security Tools:
    • Utilize anti-malware software or security tools capable of detecting and blocking known ransomware variants.
  2. Network Traffic Monitoring:
    • Regularly monitor network traffic to identify indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct periodic security audits and assessments to identify vulnerabilities in the network and ensure that all security controls are effective.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices, emphasizing the identification and reporting of suspicious emails and other threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in case of an attack.

Mitigation Measures: For EDR customers, the EDR can return systems to their original state using either the Repair or Rollback feature. For those without EDR , the following steps can help mitigate the risk of Hive ransomware attacks:

  1. Employee Education:
    • Train employees on ransomware risks, phishing email identification, and the avoidance of malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish regular BDR processes, testing backups stored offsite for quick recovery.

A comprehensive and proactive security approach is crucial for effectively mitigating the risk of Hive ransomware attacks.

Back

Copyright © 2024 RASOC all rights reserved