Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

HDDCryptor Leverages Open Source Tools to Encrypt MBR

Malware that uses open source tools for malicious purposes isn’t new, yet ransomware leveraging such tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record) is, researchers warn.

Malware that uses open source tools for malicious purposes isn’t new, yet ransomware leveraging such tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record) is, researchers warn.

The new malicious program that combines the two is called HDDCryptor, but also known as HDD Cryptor or Mamba ransomware. The threat was spotted for the first time in the beginning of this year, although it caught the attention of researchers in the past several weeks after was featured in a larger campaign.

Earlier this year, researchers detailed disk-level ransomware variants such as Petya, which emerged in March, but only manipulated the MBR to take over the boot process but didn’t encrypt user’s files. To encrypt user files too, Petyastarted dropping additional ransomware, called Mischa, and their modus operandi was already adopted by a ransomware variant called Satana.

HDDCryptor, however, leverages the DiskCryptor open source tool to strongly encrypt user’s data and to overwrite the MBR, Renato Marinho, Director at Morphus Segurança da Informação, explains.

According to Trend Micro researchers, the new piece of ransomware targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), while also locking the drive. Because of its damaging routine, the ransomware should be treated as a “very serious and credible threat not only to home users but also to enterprises,” Trend Micro says.

HDDCryptor is being distributed via files downloaded from malicious websites, and is installed by dropping multiple components to the system’s root folder. These components include dcapi.dll (detected as Ransom_HDDCRYPTOR.A), dccon.exe(to encrypt the disk drive), dcrypt.exedcrypt.syslog_file.txtMount.exe (scans mapped drives and encrypts files stored on them), netpass.exe (to scan for previously accessed network folders), netuse.txt (to store information about mapped network drives), and netpass.txt (to store user passwords).

To gain persistence, the malware adds a new service called DefragmentServiceand executes it via command line. Some of the analyzed samples, researchers say, also showed network-encrypting behavior, though others had no propagation routines. However, the Mount.exe component was clearly meant for enumerating mounted drives to encrypt their files, as well as for discovering previously connected drives or cached disconnected network paths and connecting to them using all credentials captured using the tool netpass.exe.

Advertisement. Scroll to continue reading.

In addition to leveraging DiskCryptor (which supports AES, Twofish and Serpent encryption, including their combinations, in XTS mode) for disk and network file-level encryption, the ransomware abuses the open source disk encryption software to overwrite the Master Boot Record (MBR). The malware displays its ransom note by adding a modified bootloader instead of using the system’s normal log-in screen.

The security researchers also observed that the ransomware would forcefully reboot the compromised system after two hours of full disk activity (no user interaction needed), and that it would reboot the machine twice in some cases. Moreover, they reveal that the copy of the DiskCryptor dropped by the malware was the same file available on the open source tool’s download page (the software hasn’t been updated since September 7, 2014, it appears), but that a modified version of netpass.exe was used. 

“HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals,” Trend Micro researchers note.

According to Marinho, the password used to encrypt the disk is given as a parameter. The researcher also notes that there is a chance that the same password is used on all compromised machines, or that the password is “something related to the victims’ environment, like the hostname, or something like that.” He also notes that the ransomware’s authors might be focused on servers and that they have already received payment from at least four victims.

Related: Petya, Mischa Ransomware Now Available as a Service

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...