A new piece of ransomware, named HDDCryptor (or also Mamba), has been spotted to target not only specific file types and folders but it also locks the entire hard drive’s MBR (Master Boot Record) and prevents the machine from booting up after encrypting the files. A malware with such capabilities is a threat for both individual users and enterprises.
According to one of the Bleeping Computer forum topics where users report their infections, HDDCryptor has been around since January this year.
The one to detect the HDDCryptor wave was Renato Marinho, a security researcher for Morphus Labs. He explained that his company was asked to investigate a case where the ransomware had hit a huge multinational, infecting its headquarters in the US, Brazil, and India.
Analyses, by both Morphus Labs and Trend Micro, show that the ransomware arrives at its destination either as an executable, downloaded from malicious sites, or as a file, dropped by another malware. The files could be infected with HDDCryptor directly or to contain an intermediary malware that delivers it at a later stage.
The ransomware is installed by dropping several components—all legitimate and malicious—to the system’s root folder.
First, the ransomware looks for network drives on the local network and then uses a free tool, called Network Password Recovery, to search and dump credentials for network-shared folders, past or present. For the encryption process of the user`s files found on the hard drive, HDDCryptor uses disk and network file-level encryption via another open source tool – DiskCryptor. This disk encryption software supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. DiskCryptor is also used to connect to network drives and encrypt that data as well and to overwrite the MBR and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen.
In the ransom note, victims are asked to get in touch with the HDDCryptor`s creator via email so they can receive the Bitcoin address where they are supposed to pay the ransom sum. For now, the crooks are asking 1 Bitcoin ($610) for recovering the victims` files.
One of the Bitcoin addresses, found in a couple of emails, show that the ransomware is clearly working and at least four people have decided to pay. However, if the crooks are using more the one Bitcoin addresses, there is a high change the victims who have already paid to be a lot more than four.
Now, knowing how dangerous HDDCryptor can be especially for businesses, all users are strongly advised to take preventive measures on time, such as strengthened backup policy. A proactive multilayered approach to security from the gateway, endpoints, networks, and servers, is also a must.
