HelloXD is a ransomware strain which was first discovered in November of 2021, but has been in the news quite a bit recently.  Let’s take a closer look at HelloXD ransomware, and what makes it so particularly nasty.

All About Hello XD Ransomware

Hello XD is a newer ransomware that both encrypts and steals data.  It has similarities to Babyk ransomware, as the source code was leaked a while ago, and there is now a public decryptor available for Babyk.
Don’t let that fool you, that does not make Hello XD any less dangerous.
Here’s the the thing that we all need to remember to keep in mind when we are talking about any type of ransomware…it is just like any other software.  The groups that operate it are constantly making updates, and refining their approaches, so while it may have had some similarities to Babyk in the past, things have grown and evolved over time.
Here are some of the things that make Hello XD so nasty:
  • It starts with disabling shadow copies to impact recoverability
  • It encrypts files adding .hello on the end
  • It deploys backdoor software
Now this might not seem to interesting if you’ve read about ransomware recently.  We expect things like encryption and sabotaging recovery from most ransomware groups.  Palo Alto Networks’ Unit 42 just released a new in depth guide to the ransomware, which is why we see it hitting the news – and the back door software is what is extremely interesting.

What is MicroBackdoor?

MicroBackdoor is small, lightweight backdoor software that is open source, you can get it right on GitHub, how convenient.  If you’re new to the concept of a back door, think of it as a way to easily get into a system once it is compromised.  This of course enables enhanced havoc, since once it is deployed, the system is easily accessible remotely, unless you are able to detect it, of course.
So why is this such a big deal?  Again, it comes back to threat evolution.  When ransomware changes like this, it is an obvious sign that someone (or some group) is putting tremendous effort into it, which means that we need to adapt to address the threat.
At the organizational level, no one is going to jump and make changes because a new ransomware product is out, organizations depend on various software they have deployed to detect and stop these threats.
However, with the rapid evolution of ransomware, it isn’t quite a guarantee that the bad guys won’t get in.  It really comes down to a two pronged approach of trying to block threats before they get in, and being able to rapidly detect them once they are inside.

Ransomware Trends for 2022

We’re approaching the half way point of 2022, and not much has changed in the space of ransomware.  It is still there, and it is still waiting for us.  One thing to note is that ransomware attacks are more frequent, and the ransom demands are growing.  You can read more in the Sophos State of Ransomware report.

Ransomware isn’t going anywhere.  Hello XD is just one example of a threat that continues to evolve, and we need to evolve along with it when it comes to protecting our assets – and being able to recover them later.