Windows and Linux systems are being targeted by a ransomware variant called HelloXD, where the infections also involve the deployment of a backdoor to facilitate persistent remote access to infected hosts.
“Unlike other ransomware groups, this ransomware family does not have an active leak site; instead, it prefers to forward the affected victim to negotiations through Tox chat and onion-based messenger instances,” Daniel Bunce and Doel Santos, security researchers at Palo Alto Networks Unit 42, said in a new writing.
The ransomware family is no exception in that its operators follow the proven approach of: double extortion to demand cryptocurrency payments by exfiltrating a victim’s sensitive data in addition to encrypting it and threatening to make the information public.
The implant in question, called MicroBackdooris an open-source malware used for command-and-control (C2) communication, with its developer Dmytro Oleksiuk calling it’s a “truly minimalist thing with all the basics in less than 5,000 lines of code.”
Notably, several variants of the implant were adopted by the Belarusian threat actor named Ghostwriter (aka UNC1151) in his cyber operations against Ukrainian state organizations in March 2022.
MicroBackdoor’s features allow an attacker to browse the file system, upload and download files, execute commands, and erase evidence of their presence from the compromised machines. It is suspected that the backdoor is being used to “monitor the progress of the ransomware”.
Unit 42 said it has linked the likely Russian developer behind HelloXD — which uses the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — with further malicious activity such as selling proof-of-concept (PoC) exploits. and custom Kali Linux distributions by merging the actor’s digital trail.
“x4k has a very solid online presence, which has allowed us to discover many of its activities over the past two years,” the researchers said. “This threat actor has done little to hide malicious activity and is likely to continue this behavior.”
The findings come as a new study from IBM X-Force revealed that the average duration of an enterprise ransomware attack — i.e. the time between first access and ransomware deployment — decreased 94.34% from more than two months to just 3.85 days between 2019 and 2021.
The increased speed and efficiency trends in the RaaS (ransomware-as-a-service) ecosystem are attributed to the critical role initial access brokers (IABs) play in accessing victim networks and then selling the access to affiliates, who, in turn, abuse the position to deploy ransomware payloads.
“Buying access can significantly reduce the amount of time it takes ransomware operators to launch an attack by making systems reconnaissance and identifying key data earlier and easier,” Intel 471 said in a report highlighting the close working relationships between IABs and ransomware teams.
“In addition, as relationships grow stronger, ransomware groups can identify a victim they want to target and the access vendor can grant them access as soon as it becomes available.”