HelloXD Ransomware Deploys Backdoor on Targeted Windows and Linux Systems

A new variant of ransomware known as HelloXD is actively targeting both Windows and Linux systems, alongside deploying a backdoor that allows attackers ongoing remote access to compromised machines. This underscores a concerning trend in ransomware threats, where operators are not only encrypting data but also setting up mechanisms for persistent access.

Unlike many ransomware groups, HelloXD does not utilize a leak site for communication or negotiation. Instead, it directs victims to engage in negotiations through Tox chat and onion-based messenger services, as noted by Daniel Bunce and Doel Santos, cybersecurity researchers from Palo Alto Networks Unit 42. This approach highlights a distinctive strategy tailored to facilitate negotiations in a more private and possibly secure environment.

The HelloXD ransomware first emerged on November 30, 2021, derived from leaked Babuk source code that was made public on a Russian cybercrime forum in September 2021. Observations regarding its operational patterns reveal that operators are employing the double extortion technique. This entails not only encrypting victim data but also exfiltrating sensitive information with threats of public exposure unless a ransom is paid.

The backdoor in use, identified as MicroBackdoor, serves crucial roles in command-and-control communications. This malware component, designed and made open-source by Dmytro Oleksiuk, is described as efficient with its minimalist code comprising less than 5,000 lines. MicroBackdoor allows unauthorized users to manipulate the file system, upload and download files, execute commands, and remove traces of its activities, likely aimed at ensuring the ransomware remains undetected while monitoring its deployment process.

This malware has seen varied implementations, with different versions adopted by the Belarusian threat actor known as Ghostwriter, who engaged in cyber operations against Ukrainian entities in March 2022. The capability of MicroBackdoor raises questions about the potential methods utilized in these attacks, exemplifying tactics like initial access, persistence, and privilege escalation as outlined in the MITRE ATT&CK framework.

The researcher team at Unit 42 has also traced the likely Russian developer associated with HelloXD. This individual, operating under several online pseudonyms, has ties to additional malicious operations involving the sale of proof-of-concept exploits and customized Kali Linux distributions, providing insights into the capabilities and tactics prevalent within this ransomware group.

Recent findings from IBM X-Force indicate a marked decline in the average duration from initial access to ransomware deployment, shrinking from over two months in 2019 to just 3.85 days in 2021. Such efficiency in the ransomware-as-a-service ecosystem has been attributed to the crucial role played by initial access brokers, who facilitate entry into victim networks, thereby expediting subsequent attacks. This transformation in the ransomware landscape highlights the critical need for businesses to reinforce their defenses, enabling them to navigate an increasingly sophisticated threat environment.

As these threats evolve, business owners must remain informed and proactive in their cybersecurity strategies, with a keen awareness of emerging trends and the techniques used by malicious actors. Engaging in robust security practices and maintaining a vigilant posture can significantly mitigate the risks posed by evolving ransomware threats.