Hello XD ransomware, while encrypting files, now installs a backdoor on targeted Linux and Windows systems
HelloXD is a ransomware strain that targets Windows and Linux computers, and the infections also include the installation of a backdoor to allow permanent remote access to compromised hosts.
“Unlike other ransomware families, this ransomware family does not have an active leak site; instead, it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances,” Palo Alto Networks Unit 42 security researchers Daniel Bunce and Doel Santos wrote in a new report.
The family, which was first discovered in November 30, 2021, and was based on Babuk’s leaked source code, used in a small number of double-extortion assaults in which threat actors acquired corporate information before encrypting devices (published on a Russian-language cybercrime forum in September 2021).
MicroBackdoor, the malware in question, is an open-source command-and-control (C2) communication implant, according to its developer Dmytro Oleksiuk, who describes it as a “fairly minimalistic item with all of the essential functionality in less than 5,000 lines of code.”
Hello XD ransom notes (source: Unit 42)
In March 2022, the Belarusian threat actor called Ghostwriter (aka UNC1151) used multiple forms of the implant in its cyber operations against Ukrainian governmental agencies.
The features of MicroBackdoor allow an attacker to explore the file system, upload and download files, run commands, and remove evidence of its existence from compromised PCs. The backdoor is said to be deployed to “track the ransomware’s development.”
By putting the pieces together of the actor’s digital trail, Unit 42 said it was able to link the likely Russian developer behind HelloXD — who goes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to more malicious activities like selling proof-of-concept (PoC) exploits and custom Kali Linux distributions.
“x4k has a very strong online presence,” the researchers wrote, “which has allowed us to expose much of his behaviour over the previous two years.” “This threat actor has done nothing to mask its destructive actions and is likely to keep doing so.”
Between 2019 and 2021, the average duration of an enterprise ransomware assault — that is, the period between initial access and ransomware distribution — decreased by 94.34 percent, from nearly two months to only 3.85 days, according to a new report by IBM X-Force.
The central role played by initial access brokers (IABs) in gaining access to victim networks and then trying to sell the access to associates, who then abuse the foothold to deploy ransomware payloads, has been attributed to the increased speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem.
In a report highlighting the close working relationships between IABs and ransomware crews, Intel 471 stated, “Purchasing access may significantly reduce the amount of time it takes ransomware operators to conduct an attack by enabling reconnaissance of systems and the identification of key data earlier and with greater ease.”
“Also, when contacts build, ransomware gangs may pick a victim they want to attack, and the access trader may be able to give them with access if it becomes available.”
Preventing your organization against ransomware attacks;
- Make a thorough backup of your data – You should back up your company’s data on a regular basis. If something goes wrong, you should be able to quickly and easily restore a recent backup. If your company is ever attacked, however, the repercussions will be significantly less severe.
- Keep software up to date – Ransomware attackers can occasionally obtain access to software by exploiting weaknesses. Adopt a patch management strategy and ensure that everyone on your team is up to date at all times.
- Improve threat detection – Most ransomware attacks can be found and resolved before it’s too late. To maximize your chances of being protected, install an autonomous threat detection system.
- Multi-factor authentication should be utilized – multi-factor authentication requires users to authenticate their identities in a variety of ways before being permitted access to a system. If a criminal acquires a password from an employee, the attacker will be unable to gain easy access to the systems.
- Employ the principle of least privilege: Employees should never have more data access than they require. Segmenting the firm and restricting access can act as a quarantine, limiting access vectors and decreasing the impact of a potential assault.
- Examine and track email and file activity – When using phishing techniques, cybercriminals typically use emails as their primary mode of communication. Scans and monitor emails on a regular basis, and consider adopting an automated email security solution to keep potentially harmful communications from reaching users. Think about scanning and tracking the file activity as well.
- Increase employee training – The bulk of ransomware attacks are the consequence of irresponsible or negligent employee behavior. On their own initiative, someone may give out their password or download unwelcomed material.
- Don’t pay the ransom – If your organization has been hit by ransomware, don’t pay the ransom. Getting out of this terrible situation as soon as feasible may seem desirable. Even yet, there’s no certainty that the assailant will follow through on his threats.
- Anti-ransomware software be utilized – To achieve its purpose, ransomware must engage in atypical behaviors such as opening and encrypting large numbers of files. To fight against ransomware that “slips through the cracks,” a specialized security solution is necessary.