Last summer, Petya and Satana attracted a lot of attention of the experts and media. The main feature of both malware was that they were not only encrypting files, but also could affect the MBR (Master Boot Record) and prevent the normal boot of the system. However, these ransomwares were not the first with this feature. HDDCryptor ransomware, also known as Mamba, is being monitored by security experts since January 2016 and it also overwrites the MBR. However, HDDCryptor attracted the attention of the experts only now.
Although the HDDCryptor has appeared last winter, experts say that there is a new version of this ransomware spreading online. Experts from Morphus Labs said that their company was investigating the mass infection of a certain systems of international companies and HDDCryptor attacked the offices of the company in Brazil, India and United States.
All of the experts agree that while the scale of HDDCryptor spread is modest. Basically the victims themselves download the ransomware from various malicious websites, in very rare cases the malware got into computer as a secondary infection, downloaded by another malware. Once installed the ransomware scans the local network for network drives. Afterwards it uses a fee tool Network Password Recovery which searches and steals credentials of users of shared network folders. When these stages are completed, ransomware uses open source utility DiskCryptor, to encrypt files on the victim’s system. The tool takes into account the results of previous “researches” of the malware and successfully uses the passwords to connect to the network drives to encrypt files there as well.
Once finished encrypting data, HDDCryptor replaces the content of the MBR with custom bootloader and initiates the reboot process. Instead of loading operating system, victim sees a message with ransom demands. The infected users are forced to contact the ransomware authors by e-mail for further instructions. At the moment the ransom demand is around 1 Bitcoin (about $600).
Experts note that the January version of the ransomware displayed somewhat different message and was pointing to another email address. Also in January, victims were assigned a unique four-digit ID, whereas now has a six-digit ID. According to analysts, who investigated the bitcoin address that is associated with a bitcoin wallet of criminals, since the start of the new campaign in September, only four people have paid the ransom.