New HDDCryptor Ransomware Works by Encrypting MBR

HDDCryptor, having another name Mamba, represents the latest ransomware family which rewrites the Master Boot Record (MBR) of a PC and makes the computer inaccessible to its owner. It would be incorrect to describe this new ransom software as any copycat of Petya since HDDCryptor appeared prior to both Satana and Petya, getting detected on sites of Bleeping Computer during January-end 2016.

The malware wasn't ever-used for any massive distribution scheme, the reason it didn't ever draw the notice of security agencies as well as independent security investigators.

Security Researcher Renato Marinho with Morphus Labs was first to spot once and twice the HDDCryptor. This was when a multinational called his company for probing an enormous HDDCryptor infection that affected the multinational organization's headquarters at India, Brazil and USA.

Towards August-end, an onslaught of operation threw light on HDDCryptor after which research work followed from Marinho and security firm Trend Micro's experts.

As per Trend Micro, the ransom software infects PCs when operators pull down files from malware-tainted sites. The miscreants install the malevolent binary onto host PCs directly alternatively via certain intermediary payload pulled down in some later phase. Crooks name the binary with a 3-digit number chosen randomly like in 123.exe. When assessment of the file in hybrid form was done it didn't generate too many evidences. Bleepingcomputer.com posted this, September 18, 2016.

And after executing infection, HDDCryptor first hunts to find network drives by scrutinizing the area network. Following that it utilizes Network Password Recovery a freely available tool for stealing and leaking credentials related to folders shared on the network.

This goes on with DiskCryptor, one more open-source module, launched for encrypting all the data-files on different partitions of hard drive. The module is subsequently employed together with the earlier scrutiny along with passwords for establishing link with network drives as well as encrypting those data-files too.

A Bitcoin address wherein funds were found and which was mutually used within the e-mails related to the HDDCryptor and DiskCryptor campaigns reveal that 4 persons apparently have made payments of the ransom, while there maybe more incase criminals utilized various other Bitcoin addresses.

» SPAMfighter News - 9/22/2016