Analysts uncover new features established for the Hello XD ransomware

June 14, 2022
Analysts Hello XD Ransomware Malware Babuk MicroBackdoor

A surge in the malicious activities of the Hello XD ransomware was recently identified, with new ransomware samples deployed to execute stronger encryption on the compromised networks.

Experts explained that the ransomware variant has stemmed from the leaked source code of the Babuk ransomware. Based on its first observed activities last November, Hello XD had executed a few double-extortion attacks to steal data from the victims before encrypting their devices.

 

The latest reports revealed that the Hello XD operators have developed a new ransomware encryptor feature, including custom packing to bypass detection and some updates in its encryption algorithm.

 

The upgrade of the ransomware indicates how it had departed from referencing Babuk’s source code and underlines its operators’ plans to develop new capabilities for Hello XD’s future attacks.

Currently, the ransomware strain’s operators direct its victims to a TOX chat service, where the ransom requests would be negotiated. The newest version of the ransomware also features an onion site link that the victims could find on the dropped ransom notes; however, it is currently in production and is inaccessible.

During the execution of the Hello XD, it will attempt to deactivate the operating system’s shadow copies to disallow users to make a system recovery. Then, the ransomware will begin encrypting files while adding a [.]hello extension to all file names in the system.

Security analysts also observed the ransomware’s operators now using MicroBackdoor, an open-source backdoor useful for navigating the compromised system, launching commands, stealing files, and deleting tracks. The MicroBackdoor tool is immediately dropped on the compromised machine upon the initial infection.

Furthermore, there are two new obfuscation layers now available on the custom packer of the Hello XD ransomware that was formed by modifying the widely exploited open-source packer called UPX. The ransomware operators also used a custom algorithm for the embedded blobs decryptor, which contains strange instructions such as XLAT. On the other hand, the API calls included in the packer are not obfuscated, which analysts find intriguing.

Despite being in its early stages, Hello XD is considered by many cybersecurity experts as dangerous. Its rise in activity could eventually maximise its infection volumes, especially now that it is an active ransomware strain.

About the author

Leave a Reply