HelloXD Ransomware

HelloXD Ransomware Description

The HelloXD Ransomware is a potent malware threat, with cybercriminals using it in attacks against both Windows and Linux systems. The malware first caught the attention of cybersecurity researchers back in November 2021 and, since then, it has been continuously evolving. Some of the more significant changes made by the threat's authors were detailed in a report by Palo Alto Network's Unit 42.

According to the researchers, HelloXD is based on the leaked source code of another ransomware threat named Babuk/Babyk. Initial samples used a combination of Curve25519-Donna and a modified HC-128 as part of its encryption process. However, later versions exchanged HC-128 for the faster Rabbit symmetric cipher. HelloXD generates a specific ID for each infected system that victims are supposed to send to the attackers to receive the correct decryption keys.

Of course, the operators of the threat are only willing to provide assistance to their victims after being paid a hefty ransom. In fact, to ensure that their demands will be met, the hackers run a double-extortion scheme. In practice, this means that the data of the breached devices is exfiltrated to a remote server before the encryption routine is engaged. Unlike other cybercriminal organizations, the operators of the HelloXD Ransomware do not maintain a dedicated leak site. Instead, they instruct the impacted organizations to establish communication via Tox Chat, a peer-to-peer chat client. The hackers could be moving away from this behavior - some of the more recent ransom notes dropped by HelloXD contain a link to an as-of-yet inactive website hosted on the Onion network.

One of the more peculiar discoveries made by the Unit 42 researchers is that one HelloXD sample dropped a backdoor threat on the infected device. The backdoor is a modified version of an open-source tool called MicroBackdoor that has been encrypted with the WinCrypt API. The additional malware allows the threat actors to manipulate the file system on the breached machine, upload chosen files, deliver additional files or payloads, and run remote code execution (RCE). The backdoor malware also can be instructed to remove itself from the victim's device.