Hello XD ransomware new tactics: drops the backdoor while encrypting

Researchers reveal new tactics of the Hello XD ransomware on Windows and Linux systems

Researchers need to monitor the development of the ransomware closely due to recent upgrades and treat actions

Cybersecurity researchers report that the Hello XD ransomware activities have increased recently. The operators are now deploying the updated threat version with a stronger encryption algorithm.^[1] The infection also now spreads a backdoor to facilitate persistent remote access to infected hosts.^[2]

Ransomware threats are not actively running leak sites, commonly. Threat developers prefer to directly impact victims and negotiate the payment via the Tox chat platform like this Hello XD ransomware or rely on emails, Torb browser, Telegram. This is how cryptocurrency extortion-based threats communicate with victims while trying to get money from them.

This particular strain Hello XD is known since November 2021 when the threat family was found affecting machines.^[3] The family was based on the leaked source code for the Babuk ransomware and was used for the double-extortion attacks. The infection was employed for stealing corporate data before data encryption on the machine. The departure from the initial code of the Babuk ransomware code shows that threat actors wanted to develop and release a ransomware strain that has particular features and capabilities used for malicious attacks.

New ransomware with unique capabilities

Hello XD ransomware virus operates extorting victims, but not using the Tor payment site the threat instructs victims to enter negotiations directly using the TOX chat service. These latest versions of the ransomware added an onion site link on the ransom note too. However, reports^[4] state that the site is offline. The ransomware might still be developing the page or preparing for other attack campaigns.

Hello XD file virus ties to disable shadow copies before encrypting files and marking them using .hello appendix. This method helps to ensure persistence and makes file recovery more difficult. Unit 43 also reported finding that operators use an open-source backdoor named MicroBackdoor that is used for system navigation. It also can exfiltrate files, run commands, and wipe any traces of the infection.

The backdoor malware executable is encoded using the WinCrypt API and embedded within the ransomware virus payload. It means that it gets planted on the machine as soon as the device is infected. It is believed that the main purpose of the backdoor deployment is to monitor the infection process and the progress of activities.^[5]

Additional findings and links to Russian hackers

Unit 42 also links the HelloXD to Russian developer with online aliases x4k, L4ckyhuy, unKn0wn, and many more. The research team states that the ransomware is used to further malicious operations like proof-of-concept exploits, and custom Linux malware distributions. These findings were made after piecing the particular digital trail of this alleged Russian malware developer.

Researchers also state that this actor has done little to hide these malicious activities, so it might still operate in the same manner:

x4k has a very solid online presence, which has enabled us to uncover much of his activity in these last two years

The same actor has pleaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructures online. The same hacker has even posted in dark web forums where he offers the PoC exploits, crypter services, custom Kali Linux distributions and malware-hosting, and other virus-spreading services.