“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (firstname.lastname@example.org) YOURID: 123152”. This message is all that remains for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system does not even start.
While most ransomware we’ve seen only target specific file types or folders stored on local drives, removable media and network shares, we were able to uncover a ransomware family that does not discriminate: HDDCryptor. Detected as Ransom_HDDCRYPTOR.A, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.
It reaches computers after users download files from malicious websites. Crooks drop the malicious binary on the computer directly, or through an intermediary payload downloaded at a later stage.
This initial binary is named using a random three-digit number in the form of 123.exe. When executed this initial binary drops the following files in a folder on the computer’s system root:
dccon.exe (used to encrypt the disk drive)
log_file.txt (log of the malware’s activities)
Mount.exe (scans mapped drives and encrypts files stored on them)
netpass.exe (used to scan for previously accessed network folders)
netuse.txt (used to store information about mapped network drives)
netpass.txt (used to store user passwords)
To gain boot persistence, HDDCryptor creates a new user called “mythbusters” with password “123456,” and also adds a new service called “DefragmentService,” that runs at every boot. This service calls the ransomware’s original binary (the three-digit exe file). The infection process continues with dccon.exe and Mount.exe. Both these files use DiskCryptor to encrypt the user’s files. Dccon.exe encrypts files on the user’s hard drive, while Mount.exe encrypts files on all mapped network drives, even the ones currently disconnected, but that remained physically reachable.
After the encryption ends, the ransomware rewrites all the MBRs for all hard drive partitions with a custom boot loader. It then reboots the user’s computer without user interaction and shows the following message.
HDDCryptor uses disk and network file-level encryption via DiskCryptor, an open source disk encryption software that supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen.
With so many ransomware evolving everyday , I can not emphasize the importance of taking data back ups. Take it on external drives , on the same hard disk , take it og gooel drive or any other remote location, do whatever you can to be able to recover your data in such situations. Max Total Security for windows PCs provides very efficient data back up feature.