Researchers have recently spotted a new ransomware family which attacks a hard drive’s MBR (Master Boot Record) and thus prevents the attacked PC from booting up after encrypting its files.
This one’s named HDDCryptor and it has been around since January 2016. According to a forum topic from Bleeping Computer, where users reported infections they faced.
Technically, the HDDCryptor was around before the overhyped Petya ransomware, and later the Satana ransomware families. These malwares got a lot more media attention, and behaved in a similar way, by rewriting the MBR of affected PC and preventing it from booting.
Depending on available reports, it seems that a recent malware distribution campaign has delivered a new version of this HDDCryptor to users around the globe.
The first one to again detect the HDDCryptor was Renato Marinho, who is a security researcher for Morphus Labs, he said his company was called in to investigate a huge HDDCryptor infection at a multinational, that affected its headquarters in the US, India and Brazil.
After a few days, Marinho’s initial technical analysis was followed by one from Trend Micro, mostly identical.
According to these both, HDDCryptor infections start with users accessing a malicious website and downloading malware-laced files on their PCs. These files are either infected with HDDCryptor directly or come with an intermediary malware that delivers HDDCryptor at a later stage, when the crooks are sure they have boot persistence on the infected computer.
The actual HDDCryptor payload is a bunch of binaries all crammed into one. When the big binary is executed, it drops files on the user’s computer and launches them in a particular order.
HDDCryptor first scans the local network for network drives. It then uses a free tool called Network Password Recovery to search and dump credentials for network-shared folders, past or present.
The process continues by launching another open source tool called DiskCryptor to encrypt the user’s files found on the hard drive’s partitions. This tool is then used in conjunction with the previous scan and passwords to connect to network drives and encrypt that data as well.