Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an stronger encryption .Instead, it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.
Hello XD Ransomware
HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems.
In the latest version, the malware operators have added an onion site link on the dropped ransom note. However, Unit 42 says the site is offline.
It was observed that one of the samples deployed MicroBackdoor, an open-source backdoor allowing an attacker to browse everything. The infection was employed for stealing corporate data before data encryption on the machine.
Unit 42 has observed x4k in various hacking and non-hacking forums, which has linked the threat actor to additional malicious activity such as:
- Cobalt Strike Beacon deployment.
- Selling proof-of-concept (PoC) exploits.
- Crypter services.
- Developing custom Kali Linux distros.
- Hosting and distributing malware.
- Deployment of malicious infrastructure.
The most interesting aspect of the second major version of Hello XD
- Switching the encryption algorithm from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.
Unit 42 research encountered HelloXD, a ransomware family in its initial stages – but already intending to impact organizations
Indicators of Compromise for Hello XD Ransomware
HelloXD Ransomware samples