WickrMe Ransomware Campaign Goes After Outdated Microsoft SharePoint Servers

The WickrMe Ransomware (also called Hello Ransomware) is a dangerous file-encryption Trojan, which is being used against a very specific set of targets, so far. It is important to add that it has nothing to do with the WickrMe messaging services. The creators of this malware are not spreading it to random users on the Internet and, instead, they are executing carefully orchestrated attacks against vulnerable Microsoft SharePoint servers. Of course, system administrators who keep their software up-to-date are not threatened by this attack since the WickrMe Ransomware campaign relies on a vulnerability, which dates back to 2019. Unfortunately, many systems are still vulnerable due to running outdated software, and they are the exact target of the WickrMe Ransomware.

Apart from the relatively special infection vector, the WickrMe Ransomware behaves just like other file-encryption Trojans. Its attack involves several stages, which are not out of the ordinary:

  • Disables processes used by database management software and other utilities that may prevent the malware from accessing files it wants to encrypts.
  • Scans disk partitions for file types that it is meant to encrypt, and then locks their content.
  • Appends the '.hello' suffix to the names of files it locks.
  • Drops the ransom note 'Readme!!!.txt,' which includes custom emails for that specific victim.

Of course, the criminals demand a ransom payment via Bitcoin. Apart from the emails, the criminals also supply WickrMe usernames, which can be used to get in touch with them – this is the first time that this service is being used by ransomware operators.

Unfortunately, the WickrMe Ransomware's encryption is unbreakable, and free decryption software is out of the question. Victims of this attack should not, however, agree to co-operate with the attackers since the risk of getting scammed is too high. Instead of contacting the cybercriminals, victims of the WickrMe Ransomware should use antivirus software to eliminate the threat and then try restoring files via a backup, or via popular recovery software.

April 29, 2021

Leave a Reply