HDDCryptor on Rise
HDDCryptor, also known as Mamba, emerged in September 2016 as a significant ransomware threat.
Recently in our findings we saw the emergence of the long lost HDDCryptor.
It specifically targets network resources like drives, folders, files, printers, and serial ports via the Server Message Block (SMB) protocol. Utilizing a combination of freely available and commercial software like DiskCryptor and AMMYY ADMIN. HDDCryptor encrypts disks and SMB drives, and further secures its hold on the system by overwriting the Master Boot Record (MBR) with a modified bootloader. Consequently, upon reboot, the infected computer bypasses the standard login screen and instead displays a ransom note.
In this paper we will be discussing about:
- How the initial Vector has changed from RDP Bruteforcing or being end payload of an attack chain to using spear phishing emails to get access to the system.
- Using RAT to infilterate the system.
- An examination of modified components of DiskCryptor, dcapi.dll (API module – main encryptor) and how it is been abused.
Soumen Burma – Quick Heal
Soumen Bumra is working as Security Researcher 2 in Quick Heal Security Labs. His interests include malware analysis, reverse engineering and hunting for on-going malware trends.
Rumana Siddiqui – Seqrite
Rumana Siddiqui is working as a Security Research Lead in Quick Heal Security Labs. She is passionate about malware analysis, reverse engineering and exploring new malware techniques.