The WildFire Locker ransomware has risen from the dead and rebranded itself using the apropos name of Hades Locker. In late August, WildFire Locker disappeared after the organizations behind NoMoreRansom.org were able to seize control of the ransomware’s Command & Control servers. This allowed NoMoreRansom to gain access to many of the decryption keys for the ransomware’s victims. Unfortunately, the ransomware developers were not apprehended and it now appears they have been biding their time before releasing a new ransomware.
Hades Locker was discovered yesterday by Michael Gillespie when a victim uploaded a copy of the ransomware’s ransom note to ID Ransomware.
Today, ProofPoint security researcher Matthew Mesa discovered a sample and after MalwareHunterTeam examined it, it was determined that Hades Locker is a new version of the WildFire locker.
Unfortunately, at this time the encryption used by Hades Locker is secure, so there is no way to recover a victim’s files for free. For those who wish to discuss this ransomware further, you can use the Hades Locker Help & Support Topic.
The Hades Locker Encryption Process
It is not currently known how Hades Locker is being distributed, but once executed it will connect to http://ip-api.com/xml to retrieve the IP address of the victim and their geographic location. It will then send a unique victimID, called hwid, a tracking ID, which is currently set to 0002, the computer name, the user name, the country, and the IP address of the victim to one of the configured Command & Control servers
The command and control server will then reply with a password to use to encrypt the files using AES encryption.
During this process, Hades Locker will store in the Registry the hwid and a Status entry that will either be set to 0 or 1 depending on whether the encryption process has been finished. The registry key this information is written to is:
Hades Locker will now begin to encrypt all of the files on mapped drives that match certain file extensions. When encrypting the files it will use AES encryption and append an extension made up of the string “.~HL” plus the first 5 letters of the encryption password. For example, test.jpg could be encrypted as test.jpg.~HLH6215.
The file extensions targeted by Hades Locker are:
While performing encryption, it will skip any files whose path contain the following strings:
windows program files program files (x86) system volume information $recycle.bin
To prevent victims from recovering their files from the Shadow Volume Copies, it will delete them using the following command:
WMIC.exe shadowcopy delete /nointeractive
Finally, in each folder that a file is encrypted it will also create three ransom notes named README_RECOVER_FILES_[victim_id].html,README_RECOVER_FILES_[victim_id].png, and README_RECOVER_FILES_[victim_id].txt.
These ransom notes will contain links to the Command & Control servers located at n7457xrhg5kibr2c.onion, http://pfmydcsjib.ru, and http://jdybchotfn.ru. Victim’s are advised to go to one of these sites to learn the ransom amount and for instructions on how to make a payment.
The Hades Locker Payment Site
The Hades Locker payment site can be accessed via two C2 servers located on the Internet or by connecting directly to the TOR onion address. To connect directly to the onion site, victims would need to install a special program called TOR. By using two sites that are on the Internet and connect as a gateway to the TOR site, it makes it easier for victim’s to access their payment instructions.
When a victim connects to the payment site they will be shown a general information page that describes how much they need to pay, what bitcoin address a payment should be sent to, and information on how to get bitcoins. On this payment site the developers refer to themselves as a company called Hades Enterprises.
In addition to the main information page, the Hades Locker payment site also includes the following sections:
Frequently Asked Questions page: This page contains answers to common questions.
A test decryption page: This page supposedly allows a victim to perform a test decryption. In my tests, I could find no way to upload a file.
A Help Desk page: This page allows a victim to ask support questions and receive responses from the ransomware developers.
A Decryption Tutorial Page: This page contains a tutorial on how to use the decryptor for those who paid the ransom.
Once again, for those who wish to discuss this ransomware further, you can use theHades Locker Help & Support Topic.
Files associated with Hades Locker:
README_RECOVER_FILES_[victim_id].html README_RECOVER_FILES_[victim_id].png README_RECOVER_FILES_[victim_id].txt %UserProfile%\AppData\Local\Temp\RarSFX0\ %UserProfile%\AppData\Local\Temp\RarSFX0\Ronms.exe %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ronms.lnk %UserProfile%\AppData\Roaming\wow6232node\ %UserProfile%\AppData\Roaming\wow6232node\Bamvenagxe.xml %UserProfile%\AppData\Roaming\wow6232node\Ronms.exe
Registry Entries associated with Hades Locker:
HKCU\Software\Wow6232Node\hwid [victim_id] HKCU\Software\Wow6232Node\status 1
Network Communication associated with Hades Locker:
n7457xrhg5kibr2c.onion http://pfmydcsjib.ru http://jdybchotfn.ruSource:http://www.bleepingcomputer.com/