by Stephen Hilt and Fernando Mercês
Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency (SFMTA).
In this attack, as we’ve seen with other versions of HDDCryptor, the ransomware dropped some tools to perform full disk encryption, as well as the encryption of mounted SMB drives. We believe the threat actors behind the attack don’t use exploit kits and automated installers to instantly compromise and infect victims. Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware. While we don’t have specific information on how this was accomplished across SFMTA’s 2,000 machines, it is highly likely that it was through scheduling a job to run on all of the devices using some form of admin credentials.
When contacted, the actors using this new HDDCryptor replied with a similar message to the one seen at the CSO online article.
How has HDDCryptor Evolved?
Previously, HDDCryptor did all of this with a user account that was added, which in September was “mythbusters.” Shortly after, it was observed to add a user of “ABCD,” as the creators had likely changed the username to avoid detection. In the most recent observed version as of last week, HDDCryptor no longer adds a user, however it creates a path of “C:\Users\WWW” in which it drops the files needed to perform the encryption of both the local hard drive and any attached file shares.
After trying to encrypt remote network shares, the ransomware puts into place all the pieces needed for local encryption and the system is rebooted once. Then, HDDCryptor starts performing what it needs.
One last reboot is needed and then the ransomware shows the modified Master Boot Record (MBR) as the ransom note. This has not changed, except for the email address and phrasing between versions.
As with previous versions, the argument that is passed in during the execution of the ransomware binary is the password for decryption.
The encryption ran on the remote file systems is performed by the mount.exe file. To do this, each drive that is to be encrypted is sent in as an argument to mount.exe along with the password that was passed in as an original argument to HDDCryptor. Unlike the main hard drive, mount.exe does not utilize the DiskCryptor methods for encryption.
We noticed when analyzing the samples that between versions of HDDCryptor there are a few changes. First, the PDB strings of mount.exe in the current version show the number crp_95_08_30_v3:
HDDCryptor’s previous versions showed CRP_95_02_05_v3, indicating that the ransomware’s developers are updating and improving their code:
Analysis of the samples proved that the actors do not recompile DiskCryptor, even though it is an open source tool. Instead, since the first version of HDDCryptor, they patched dcapi.dll file to add the ransom note. Previous versions had all dropped files as clear PE resources of the main dropper. Since v2, HDDCryptor actors use a simple decryption scheme to decrypt the binaries in its .rsrc (resource) section:
Both v2 and v3 are compiled with Visual Studio 2013 (first version is compiled with VS 2012) and have some improvements like basic anti-sandbox and anti-debugging features, string encoding, and simple resources encryption as shown in the screenshot above. This shows that the HDDCryptor actors are quickly evolving this ransomware family to evade AV and other detection techniques. In no cases have researchers been able to attribute HDDCryptor executables to any phishing campaigns or any other types of attacks that have been utilized. It appears that the actors have prior access to the systems and manually execute HDDCryptor. It is believed that this is done over RDP that is exposed to the internet directly, apart from exploiting tools. Given the fact is easy to buy access to compromised servers within the underground. HDDCryptor actors may be using this technique, too.
The last variant uses the same ransom note mentioned on SFMTA attack. We can’t safely trust on compilation timestamps, especially for the first observed variant but the second and third variants really appear to be evolutions from the first one as we explained earlier.
What’s Next for HDDCryptor?
It’s been speculated in the SFMTA attack that 30GB of data was exfiltrated and could be released and sold in the Deep Web. Though we can’t confirm that is the case here, this is an evolution of ransomware we have predicted for a while. Typically, ransom is demanded to return the original files to the owner and that’s that. On a large scale, it’s really difficult to sift through all of this encrypted data to find valuable information that could be sold. However, it is a logical step for the ransomware to simultaneously encrypt and exfiltrate a copy of the data to the attacker. When the victim pays the normal 2 BTC ransom – indicating they care about the data – the attacker does a manual check to see who they are. If it just mom and pop at home, they take the money, decrypt the files and delete the exfiltrated documents. If, however, it turns out to be an organization like SFMTA, they can immediately up the ransom and also hold the threat of releasing the files as additional extortion. This is a direction we fully expect to see more frequently over the next 12 months.
The indicators of compromise (IoCs)/related hashes for RANSOM_HDDCryptor can be found in our appendix.
Trend Micro Ransomware Solutions
This latest incident underscores ransomware’s potentially detrimental consequences to organizations—business disruption, financial losses and damage to reputation. At the same time, it highlights the importance of a proactive approach to security. A multilayered defense system that can secure gateways, endpoints, networks and servers is also recommended.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Additional analysis by William Gamazo Sanchez and Robert McArdle