HydraCrypt Variant of Ransomware Distributed by Angler Exploit Kit

By on

McAfee Labs recently came across the new ransomware variant HydraCrypt. Like some previous ransomware variants, HydraCrypt is distributed using the Angler exploit kit. HydraCrypt encrypts a victim’s files and appends the filenames with the extension “hydracrypt_ID_<8 random characters>.”

The malware also drops one plain-text file on the victim’s machine and opens a red window displaying the ransom screen with instructions on how to pay the ransom to decrypt the files. It also threatens to sell documents and files on the dark markes if the victim fails to take the required action within 72 hours. The ransomware screen:

1

 

Let’s dig deeper into the code inside the binary to understand more about it.

This variant of HydrCcrypt is compiled with MFC. Upon execution, the malware drops and executes its copy under the folder ChromeSettings2364 in the %AppData% directory with a random name and deletes itself. It decrypts two binaries in  memory: One of them is UPX packed and the other is an MFC-compiled executable.

2

Upon analyzing the UPX-packed binary, the malware creates a randomly named mutex to ensure that only one copy of it is running. The snippet below illustrates:

3

The malware then gathers information about the victim’s machine—computer name, information about locale, etc.—as shown:

4

5

 

The ransomware encrypts this information with RC4 code:

6

The malware then tries to connect to the remote server d.googlex.me on Port 30 to send the encrypted data and report the infection. The following snippet shows this:

7

8

HydraCrypt can also download additional files from the remote server.

9

The MFC-compiled binary, upon execution, creates a randomly named mutex, as shown below:

10

The malware examines running processes on infected systems via the CreateToolhelp32Snapshot method, to check whether it is running on a virtual machine. In the following snapshot we can see the ransomware targeting code by looking for API calls such as Createtoolhelp32snapshot (taking snapshots of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process.

11

HydraCrypt drops a copy of itself under the folder ChromeSettings2364 in the %AppData% directory with a random name:

12

As with old ransomware variants, HydraCrypt removes the volume shadow copies from the target’s system, thereby preventing the user from restoring the encrypted files. (Shadow copy is a Windows feature that helps users make backup copies—snapshots—of computer files or volumes.) To delete the shadow volume copies, HydraCrypt uses the command “vssadmin.exe Delete Shadows /All.” This ransomware uses vssadmin to delete all the shadow volume copies on the computer.

13

14

HydraCrypt tries to encrypt files with the following extensions:

15

Finally, it creates the file README_DECRYPT_HYDRA_ID_XXXXXXXX in the %Desktop% directory and displays it on the victim’s screen:

  • README_DECRYPT_HYDRA_ID_XXXXXXXX

16

MD5s:

  • 08B304D01220F9DE63244B4666621BBA
  • 31fa6b1b3e03270f90103d95ef84a010

 

McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this variant of ransomware as Ransom-Hydracrypt with DAT Versions 8074 and later.

Leave a Comment

Similar articles

Analytics 101

By on
From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions. Distinguishing ...
Read Blog
A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim's contact list. What's more, the author of the Cerberus ...
Read Blog