The DXXD ransomware piece has found a new way to show its ransom note to the victims, using the Windows Legal Notice screen to display it even before they log on their PCs. The criminal crew behind DXXD are the first to take advantage of the Windows Legal Notice screen, but researchers are guessing than once the idea is out others will adopt it as well.
The Windows Legal Notice screen is an intermediary screen, which appears before the Windows has started, and it is used to show the users various legal notices and other messages.
This strategy is very efficient because the screen gets the victims` attention while in other cases they are able to dismiss the notice just by pressing the “OK” button.
When the users log on their computers after they have seen the ransom screen, they will find that some of their files have been encrypted by the DXXD ransomware, which first appeared on the malware stage at the end of last month.
This particular threat is easily noticeable not only because of the Legal Notice message, which appears because the ransomware has added two registry keys to the infected PC, but also because it appends the “dxxd” extension at the end of encrypted files. For example, a file, which was named “photo.png” before the encryption, after being locked, its name will be “photo.pgndxxd”.
The current version of the DXXD ransomware is its second one, as the security researcher, Michael Gillespie, was able to create a free decryptor for the first one at the beginning of October. However, the DXXD author managed to fix the flaw which the decryptor was based on and created version2. Moreover, to make fun of Gillespie for defeating his tool, the crooks created an account on the Bleeping Computer forums. He even got support from another malware developer – the person behind the Apocalypse ransomware, who joined to taunt the researcher as well.
The DXXS creator also made an attempt to fool the researchers claiming he infects computers using a zero-day RCE exploit, which affects all Windows versions released between 1995 and 2016. This is highly unlikely, and a zero-day like this would be valued at millions of dollars, and most likely used for something more heinous than just installing shoddy ransomware.
At this point, a decryptor for the second DXXD version is not available, as the experts have not had the chance to examine its source code yet. However, they are hopeful they will be able to crack this version as well, so victims of DXXD v2 are advised not to pay the ransom.
