It has been reported by cybersecurity researchers that there has been an increase in the activity of the Hello XD ransomware. Its operators are now deploying an upgraded sample featuring stronger encryption.
This family of ransomware is based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where threat actors stole corporate data before encrypting devices. The threat was first observed in November 2021.
The malware’s author has created a new encryptor that features custom packing for encryption algorithm changes and detection avoidance, according to a report by Palo Alto Network Unit 42.
These new features mark a significant departure from Babuk code. It suggests that the author’s intentions are to develop a new ransomware strain specifically made for increased attacks.
The Hello XD ransomware operation is currently instructing victims to enter negotiations directly through a TOX chat service, instead of using a Tor payment site to extort victims as often used.
The latest version has seen the malware operators add an onion site link on the dropped ransomware note. Unit 42 says the site is offline, so perhaps under construction.
Hello XD attempts to disable shadow copies to prevent easy system recovery and then encrypts files, adding the .hello extensions to file names.
Unit 42 observed that, besides the ransomware payload, Hello XD operators are now using an open-source backdoor named MicroBackdoor to navigate the compromised system, execute commands, wipe traces, and exfiltrate files.
The MicroBackdoor executable is embedded within the ransomware payload and encrypted using WinCrypt API. It is dropped to the system immediately upon being infected.
The custom packer features two layers of obfuscation. It’s deployed in the ransomware payload’s second version.
The author has derived the crypter by modifying an open-source packer, UPX.
The embedded blobs decryption involves using a custom algorithm containing conventional instructions like XLAT.
In this version, the encryption algorithm is switched from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.
The file marker in the updated version was changed to random bytes from a coherent string, thus making the cryptographic result more powerful.
Unit 42 has traced Hello XD’s origins to a Russian-speaking threat actor using the name X4KME. They uploaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructure online.
The hacker has also posted on various forums.
The threat is being watched closely.