HelloXD is the name of a relatively new ransomware family which has been carrying out double extortion attacks since November 2021.
The ransomware has multiple variants that impact both Windows and Linux systems. What distinguishes HelloXD from other, similar ransomware families is the fact that it doesn’t feature a leak site. Instead, it redirects victims to negotiate via the Tox (a p2p instant messaging protocol used by other ransomware, too) chat and onion-based messengers.
HelloXD Ransomware Emerges from Babuk’s Source Code
According to an analysis by Unit 42 researchers, the ransomware samples of HelloXD share lots of similarities with the core functionality of the leaked Babuk ransomware’s source code. Babuk emerged in January 2021 as a new enterprise ransomware. Its source code was leaked to an underground forum in September the same year.
Another notable discovery that Unit 42 made is that one of HelloXD’s samples also dropped a backdoor on the infected system, MicroBackdoor. The latter is an open-source backdoor that enables attackers to browse the file system, upload and download files, and execute commands. The backdoor is also capable of removing itself from the compromised system. The additional backdoor payload is most likely dropped with observation purposes – the threat actors are most likely monitoring the progress of the ransomware, while gaining additional foothold.
How does the ransomware work? It is noteworthy that HelloXD creates an ID for each victim, which is sent to its operators. The ID is needed to identify the victim and provide a decryptor. The ransom note features instructions on downloading Tox and using a Tox Chat ID to reach the attacker.
Who is behind HelloXD? “During the analysis of the MicroBackdoor sample, Unit 42 observed the configuration and found an embedded IP address, belonging to a threat actor we believe is potentially the developer: x4k, also known as L4ckyguy, unKn0wn, unk0w, _unkn0wn and x4kme,” the report said.
After a very in-depth investigation, the researchers concluded the x4k threat actor is Russian and quite popular on several hacking forums.
Another example of a recently emerged ransomware family is Black Basta, which has caused damages to at least ten organizations.