by Stephen Hilt and William Gamazo Sanchez
While most ransomware we’ve seen only target specific file types or folders stored on local drives, removable media and network shares, we were able to uncover a ransomware family that does not discriminate: HDDCryptor. Detected as Ransom_HDDCRYPTOR.A, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.
Figure 1. A photo of the ransom note; HDDCryptor uses a hard-coded malware ID (123141), which implies that its operators may only be using a single decryption key.
Infection Vector and Installation
HDDCryptor can infect systems as an executable unsuspectingly downloaded from malicious websites, or as a file dropped by other malware. The ransomware is installed by dropping several components—both legitimate and malicious—to the system’s root folder:
- dcapi.dll (detected as Ransom_HDDCRYPTOR.A)
- dccon.exe (used to encrypt the disk drive)
- log_file.txt (log of the malware’s activities)
- Mount.exe (scans mapped drives and encrypts files stored on them)
- netpass.exe (used to scan for previously accessed network folders)
- netuse.txt (used to store information about mapped network drives)
- netpass.txt (used to store user passwords)
For persistence, it adds a service named DefragmentService and executes it via command line.
Network-Mapped Drive Encryption
Digging into HDDCryptor, we found that its network-related behaviors are volatile. There were no observed propagation routines in some samples, while network-encrypting behavior was espied in others. Running one of its components, mount.exe, we discover its following functionalities:
- Enumerate all existing mounted drives and encrypt all files
- Find previously connected drives or cached disconnected network paths and connect to them using all credentials captured using the tool netpass.exe
Running mount.exe with no parameters enumerated all mapped drives via Windows’s volume management function GetLogicalDrives and encrypted all files stored on them.
Figure 2. Code showing capability of mount.exe to enumerate drives
To reach for previously accessed networked folders (but not mounted drives), HDDCryptor uses a network password recovery freeware (netpass.exe). The utility tool extracts credentials of the current session and the result is dumped into a file named netpass.txt.
During the same time, the connected drives cache is dumped into a file named netuse.txt. The executable then uses the two dump files to access resources in the network cache—even disconnected ones—or whatever network share that was previously accessed. The following image shows mount.exe code using the mentioned files:
HDDCryptor uses disk and network file-level encryption via DiskCryptor, an open source disk encryption software that supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen.
In some of the samples we ran, the system was forcefully rebooted (no user interaction needed) after two hours of full disk activity—while the drive is being encrypted—while in others, the affected machine was rebooted twice.
Interestingly, the copy of the DiskCryptor dropped by the samples we analyzed is the same file available in DiskCryptor’s download page. Aside from containing expired certificates, the software itself hasn’t received an update since September 7, 2014. In contrast, HDDCryptor’s operators seemed to have used a modified version of netpass.exe. The version dropped by this ransomware had its properties such as version information stripped out in the binaries. We have reached out and shared our analysis of this ransomware to the developers of these software.
HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals.
Trend Micro Ransomware Solutions
As ransomware continues to wreak havoc on users, it looks as though it can only up the ante. Considering the severe damage HDDCryptor poses to end users and especially businesses, it is crucial to have preventive measures in place, such as a strengthened backup policy, as well as a proactive, multilayered approach to security: from the gateway, endpoints, networks, and servers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Related Hashes detected as Ransom_HDDCRYPTOR.A:
Additional analysis and insights by Sasha Hellberg, Byron Gelera, Fernando Merces, and Lord Remorin