Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

WildFire Ransomware Revived as “Hades Locker”

The actor behind WildFire, a piece of ransomware that emerged earlier this year, has decided to rebrand the malware after security researchers created a decryption tool for it.

The actor behind WildFire, a piece of ransomware that emerged earlier this year, has decided to rebrand the malware after security researchers created a decryption tool for it.

WildFire was detailed in late August, when security researchers managed to seize control of its command and control (C&C) servers and gain access to many decryption keys. Previously, many users did pay the ransom, which was etimated to have generated around $80,000 in payments for its operators in just a month.

Although the ransomware’s C&C servers were compromised, the actors behind it haven’t been caught, and it appears that they managed to bring their creation back to life under the name of Hades Locker (Hades was the ancient Greek chthonic god of the underworld). What’s more, the new malware variant comes with improved encryption.

Once ] executed on a victim’s computer, the ransomware connects to http://ip-api(dot)com/xml for the victim’s IP address and geographic location. Next, the malware sends a unique victim ID, a tracking ID, computer name, user name, country, and victim’s IP address to one of the configured C&C servers, which in return replies with the password for the encryption process.

The victim ID is stored in the Registry, along with status information (on whether the encryption process has been completed or not). The ransomware searches mapped drives for specific file extensions and encrypts the files using AES encryption. It appends a specific extension to these files: the “.~HL” string, followed by the first 5 letters of the encryption password.

Hades Locker targets a vast variety of file types, but it skips those that contain the following strings in their file path: windows, program files, program files (x86), system volume information, and $recycle.bin. The ransomware also deletes the Shadow Volume Copies to prevent its victims from restoring their files in this manner.

The ransom note dropped on the victim’s computer includes links to the n7457xrhg5kibr2c.onion, http://pfmydcsjib(dot)ru, and http://jdybchotfn(dot)ru sites, which the victim is encouraged to access for information on the ransom amount and on how to make the payment.

When the victim connects to the payment site, they are provided with information on the amount to be paid and on the Bitcoin address the payment should be sent to, as well as with information on how to get Bitcoins. The website supposedly belongs to a company called Hades Enterprises and includes multiple pages, such as Frequently Asked Questions, test decryption, Help Desk, and Decryption Tutorial.

Related: Wildfire Ransomware Operators Made $80,000 in One Month

Related: Researchers Break Encryption of MarsJoke Ransomware

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.