Security Experts:

HDDCryptor Leverages Open Source Tools to Encrypt MBR

Malware that uses open source tools for malicious purposes isn’t new, yet ransomware leveraging such tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record) is, researchers warn.

The new malicious program that combines the two is called HDDCryptor, but also known as HDD Cryptor or Mamba ransomware. The threat was spotted for the first time in the beginning of this year, although it caught the attention of researchers in the past several weeks after was featured in a larger campaign.

Earlier this year, researchers detailed disk-level ransomware variants such as Petya, which emerged in March, but only manipulated the MBR to take over the boot process but didn’t encrypt user’s files. To encrypt user files too, Petyastarted dropping additional ransomware, called Mischa, and their modus operandi was already adopted by a ransomware variant called Satana.

HDDCryptor, however, leverages the DiskCryptor open source tool to strongly encrypt user’s data and to overwrite the MBR, Renato Marinho, Director at Morphus Segurança da Informação, explains.

According to Trend Micro researchers, the new piece of ransomware targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), while also locking the drive. Because of its damaging routine, the ransomware should be treated as a “very serious and credible threat not only to home users but also to enterprises,” Trend Micro says.

HDDCryptor is being distributed via files downloaded from malicious websites, and is installed by dropping multiple components to the system’s root folder. These components include dcapi.dll (detected as Ransom_HDDCRYPTOR.A), dccon.exe(to encrypt the disk drive), dcrypt.exedcrypt.syslog_file.txtMount.exe (scans mapped drives and encrypts files stored on them), netpass.exe (to scan for previously accessed network folders), netuse.txt (to store information about mapped network drives), and netpass.txt (to store user passwords).

To gain persistence, the malware adds a new service called DefragmentServiceand executes it via command line. Some of the analyzed samples, researchers say, also showed network-encrypting behavior, though others had no propagation routines. However, the Mount.exe component was clearly meant for enumerating mounted drives to encrypt their files, as well as for discovering previously connected drives or cached disconnected network paths and connecting to them using all credentials captured using the tool netpass.exe.

In addition to leveraging DiskCryptor (which supports AES, Twofish and Serpent encryption, including their combinations, in XTS mode) for disk and network file-level encryption, the ransomware abuses the open source disk encryption software to overwrite the Master Boot Record (MBR). The malware displays its ransom note by adding a modified bootloader instead of using the system’s normal log-in screen.

The security researchers also observed that the ransomware would forcefully reboot the compromised system after two hours of full disk activity (no user interaction needed), and that it would reboot the machine twice in some cases. Moreover, they reveal that the copy of the DiskCryptor dropped by the malware was the same file available on the open source tool’s download page (the software hasn’t been updated since September 7, 2014, it appears), but that a modified version of netpass.exe was used. 

“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals,” Trend Micro researchers note.

According to Marinho, the password used to encrypt the disk is given as a parameter. The researcher also notes that there is a chance that the same password is used on all compromised machines, or that the password is “something related to the victims’ environment, like the hostname, or something like that.” He also notes that the ransomware’s authors might be focused on servers and that they have already received payment from at least four victims.

Related: Petya, Mischa Ransomware Now Available as a Service

view counter