The WildFire Locker ransomware has rebranded itself using the apropos name of Hades Locker. In late August, WildFire Locker disappeared after the organizations behind NoMoreRansom.org were able to seize control of the ransomware’s Command & Control servers. This allowed NoMoreRansom to gain access to many of the decryption keys for the ransomware’s victims. Unfortunately, the ransomware developers were not apprehended and it now appears they have been biding their time before releasing a new ransomware.
It is not currently unknown how Hades Locker is being distributed, but once executed it will connect to http://ip-api.com/xml to retrieve the IP address of the victim and their geographic location. It will then send a unique victimID, called hwid, a tracking ID, which is currently set to 0002, the computer name, the user name, the country, and the IP address of the victim to one of the configured Command & Control servers. The command and control server will then reply with a password to use to encrypt the files using AES encryption.
During this process, Hades Locker will store in the Registry the hwid and a Status entry that will either be set to 0 or 1 depending on whether the encryption process has been finished. The registry key this information is written to is:
Hades Locker will now begin to encrypt all of the files on mapped drives that match certain file extensions. When encrypting the files it will use AES encryption and append an extension made up of the string “.~HL” plus the first 5 letters of the encryption password. For example, test.jpg could be encrypted as test.jpg.~HLH6215.
While performing encryption, it will skip any files whose path contain the following strings:
program files (x86)
system volume information
To prevent victims from recovering their files from the Shadow Volume Copies, it will delete them using the following command:
WMIC.exe shadowcopy delete /nointeractive
Finally, in each folder that a file is encrypted it will also create three ransom notes named README_RECOVER_FILES_[victim_id].html, README_RECOVER_FILES_[victim_id].png, and README_RECOVER_FILES_[victim_id].txt.
When a victim connects to the payment site they will be shown a general information page that describes how much they need to pay, what bitcoin address a payment should be sent to, and information on how to get bitcoins. On this payment site the developers refer to themselves as a company called Hades Enterprises.
Files associated with Hades Locker:
Registry Entries associated with Hades Locker:
Network Communication associated with Hades Locker:
Our recommendation, like always, maintian a good back up copy of all of your files, use a good Security program like Max Total Security provides data back up along with the detection of this Malware files.