WildFire ransomware has come back to life and rebranded itself as Hades Locker.
WildFire Locker disappeared in August, right after the organizations behind NoMoreRansom.org. took the control of its Command & Control servers. When this happened, NoMoreRansom could gain access to lots of the decryption keys for the victims of the ransomware. However, the problem there was that the creators of WildFire were not apprehended and it turns out that they have been biding their time before releasing a new ransomware.
Yesterday, when a victim uploaded a copy of the ransomware’s ransom note to ID Ransomware, the researcher Michael Gillespie found Hades Locker. After analyzing the new sample, discovered by Matthew Mesa from ProofPoint, it was concluded that Hades Locker is the new version of the WildFire locker ransomware.
Currently, the main problem with Hades Locker is that the encryption used by this ransomware is secure, so there is no way to decrypt a victim’s files for free.
Presently, it is still unknown the way that Hades Locker is being distributed, but when executed it connects to http://ip-api.com/xml to retrieve the IP address of the victim and their geographic location. After that it sends a unique victimID, called hwid, a tracking ID, which is currently set to 0002, the computer name, the user name, the country, and the IP address of the victim to one of the configured Command & Control servers. The command and control server will then reply with a password to use to encrypt the files using AES encryption.
During this process, Hades Locker will store in the Registry the hwid and a Status entry that will either be set to 0 or 1 depending on whether the encryption process has been finished. The registry key this information is written to is:
HKCU\Software\Wow6232Node
After that Hades Locker will begin to encrypt all of the files on mapped drives that match certain file extensions. When encrypting the files it will use AES encryption and append an extension made up of the string “.~HL” plus the first 5 letters of the encryption password. For instance, test.jpg could be encrypted as test.jpg.~HLH6215.
The payment website of Hades Locker can be accessed via two C2 servers located on the Internet or by connecting directly to the TOR onion address. To connect directly to the onion site, victims would need to install a special program named TOR. By using two websites that are on the Internet and connect as a gateway to the TOR site, it makes it easier for victim’s to access their payment instructions.
Being connected to the payment website, victims will be shown a general information page describing how much they need to pay, what bitcoin address a payment should be sent to, and information on how to get bitcoins. On this payment site the developers refer to themselves as a company called Hades Enterprises.
