HelloXD Ransomware Goes for Double Extortion

A research team with Palo Alto Networks has picked apart a relatively recent ransomware strain. The ransomware is called HelloXD and was first spotted in the last months of 2021.

HelloXD is the type of ransomware gang that attempts double extortion, threatening to leak the victim's stolen sensitive information if the ransom is not paid. However, HelloXD doesn't use a single leak dark web page. Instead, the gang offers direct negotiations with the victim over encrypted Tox chat.

In their analysis, the researchers at Palo Alto discovered similarities in functionality between HelloXD and the infamous Babuk ransomware. Attacks using HelloXD also employed a backdoor tool called MicroBackdoor, which allows for a number of remote tasks on the compromised system and gives the hackers the ability to observe the ransomware at work.

Once executed on a target system, HelloXD attempts to disable shadow volume copies to make sure recovery is not possible.

The malware's author is believed to be a hacker going by a number of handles, including "x4k" and "unKn0wn". The link was established through an embedded IP address found when picking apart the backdoor used in conjunction with HelloXD.

Once encrypted, files receive the ".hello" extension, with the ransom note dropped inside "Hello.txt". In its original form, the ransom note only contained a Tox chat ID to contact the ransomware's makers.

By Zaib
June 21, 2022
June 21, 2022