HDDCryptor ransomware uses open source tools to thoroughly own systems

HDDCryptor (aka Mamba) is a particularly destructive piece of ransomware that encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

This last action leaves the systems unable to boot up, and makes the ransom note appear:

HDDCryptor ransomware ransom note

The malware uses Netpass, a legitimate tool for recovering all network passwords stored on the system for the current logged-on user, to connect to networked folders and encrypt their contents.

“HDDCryptor uses disk and network file-level encryption via DiskCryptor, an open source disk encryption software that supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen,” Trend Micro researchers explain.

To gain persistence, HDDCryptor creates a new user and a new service (DefragmentService) that runs at every boot and calls the ransomware’s binary.

The ransomware first cropped up in January 2016 but infections were few. It now came to the attention of security researchers and users because the number of compromises is increasing.

According to Trend Micro, users usually get infected after they have inadvertently downloaded the malware from malicious websites, or after they’ve downloaded other malware that then downloads HDDCryptor.

Morphus Labs researcher Renato Marinho analyzed the ransomware earlier this month after discovering it on servers belonging to a multinational company. The affected systems were located in the company’s Brazil, USA and India subsidiaries.

“We’ve found some good information about this threat until now, but we didn’t find the infection vector yet,” says Marinho, and shared their belief that “the password is the same for all the victims or may be something related to the victims’ environment, like the hostname, or something like that.”

They’ve contacted the criminals via the given email address, and discovered that they ask for 1 Bitcoin in return for the decryption key. The Bitcoin address provided by the criminals seems to indicate that the ransom was already paid four times.

Don't miss