McAfee Labs recently came across the new ransomware variant HydraCrypt. Like some previous ransomware variants, HydraCrypt is distributed using the Angler exploit kit. HydraCrypt encrypts a victim’s files and appends the filenames with the extension “hydracrypt_ID_<8 random characters>.”
The malware also drops one plain-text file on the victim’s machine and opens a red window displaying the ransom screen with instructions on how to pay the ransom to decrypt the files. It also threatens to sell documents and files on the dark markes if the victim fails to take the required action within 72 hours. The ransomware screen:
Let’s dig deeper into the code inside the binary to understand more about it.
This variant of HydrCcrypt is compiled with MFC. Upon execution, the malware drops and executes its copy under the folder ChromeSettings2364 in the %AppData% directory with a random name and deletes itself. It decrypts two binaries in memory: One of them is UPX packed and the other is an MFC-compiled executable.
Upon analyzing the UPX-packed binary, the malware creates a randomly named mutex to ensure that only one copy of it is running. The snippet below illustrates:
The malware then gathers information about the victim’s machine—computer name, information about locale, etc.—as shown:
The ransomware encrypts this information with RC4 code:
The malware then tries to connect to the remote server d.googlex.me on Port 30 to send the encrypted data and report the infection. The following snippet shows this:
HydraCrypt can also download additional files from the remote server.
The MFC-compiled binary, upon execution, creates a randomly named mutex, as shown below:
The malware examines running processes on infected systems via the CreateToolhelp32Snapshot method, to check whether it is running on a virtual machine. In the following snapshot we can see the ransomware targeting code by looking for API calls such as Createtoolhelp32snapshot (taking snapshots of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process.
HydraCrypt drops a copy of itself under the folder ChromeSettings2364 in the %AppData% directory with a random name:
As with old ransomware variants, HydraCrypt removes the volume shadow copies from the target’s system, thereby preventing the user from restoring the encrypted files. (Shadow copy is a Windows feature that helps users make backup copies—snapshots—of computer files or volumes.) To delete the shadow volume copies, HydraCrypt uses the command “vssadmin.exe Delete Shadows /All.” This ransomware uses vssadmin to delete all the shadow volume copies on the computer.
HydraCrypt tries to encrypt files with the following extensions:
Finally, it creates the file README_DECRYPT_HYDRA_ID_XXXXXXXX in the %Desktop% directory and displays it on the victim’s screen:
McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this variant of ransomware as Ransom-Hydracrypt with DAT Versions 8074 and later.