{"id":47546,"date":"2016-02-12T12:35:15","date_gmt":"2016-02-12T20:35:15","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=47546"},"modified":"2025-06-02T01:07:33","modified_gmt":"2025-06-02T08:07:33","slug":"hydracrypt-variant-of-ransomware-distributed-by-angler-exploit-kit","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hydracrypt-variant-of-ransomware-distributed-by-angler-exploit-kit\/","title":{"rendered":"HydraCrypt Variant of Ransomware Distributed by Angler Exploit Kit"},"content":{"rendered":"

McAfee Labs recently came across the new ransomware variant HydraCrypt. Like some previous ransomware variants, HydraCrypt is distributed using the\u00a0Angler exploit kit<\/a>. HydraCrypt encrypts a victim’s files and appends the filenames with the extension “hydracrypt_ID_<8 random characters>.”<\/p>\n

The malware also drops one plain-text file on the victim\u2019s machine and opens a red window displaying the ransom screen with instructions on how to pay the ransom to decrypt the files. It also threatens to sell documents and files on the dark markes if the victim fails to take the required action within 72 hours. The ransomware screen:<\/p>\n

\"1\"<\/p>\n

 <\/p>\n

Let\u2019s dig deeper into the\u00a0code inside the binary to understand more about it.<\/p>\n

This variant of HydrCcrypt is compiled with MFC. Upon execution, the malware\u00a0drops and executes its copy under the folder ChromeSettings2364 in the %AppData% directory with a random name and deletes itself. It decrypts two binaries in \u00a0memory: One of them is UPX packed and the other is an MFC-compiled executable.<\/p>\n

\"2\"<\/p>\n

Upon analyzing the UPX-packed binary, the malware creates a randomly named mutex to ensure that only one copy of it is running. The snippet below illustrates:<\/p>\n

\"3\"<\/p>\n

The malware then gathers information about the victim’s machine\u2014computer name, information about locale, etc.\u2014as shown:<\/p>\n

\"4\"<\/p>\n

\"5\"<\/p>\n

 <\/p>\n

The ransomware encrypts this information with RC4 code:<\/p>\n

\"6\"<\/p>\n

The malware then tries to connect to the remote server d.googlex.me\u00a0on Port 30 to send the encrypted data and report the infection. The following snippet shows this:<\/p>\n

\"7\"<\/p>\n

\"8\"<\/p>\n

HydraCrypt can also download additional files from the remote server.<\/p>\n

\"9\"<\/p>\n

The MFC-compiled binary, upon execution, creates a randomly named mutex, as shown below:<\/p>\n

\"10\"<\/p>\n

The malware examines\u00a0running processes on infected systems via the CreateToolhelp32Snapshot method, to check whether it is running on a virtual machine. In the following snapshot we can see the ransomware targeting code by looking for API calls such as Createtoolhelp32snapshot (taking snapshots of the specified processes, as well as the heaps, modules, and threads used by these processes), Process32First, and Process32next to find the target process.<\/p>\n

\"11\"<\/p>\n

HydraCrypt drops a copy of itself under the folder ChromeSettings2364 in the %AppData% directory with a random name:<\/p>\n

\"12\"<\/p>\n

As with old ransomware variants, HydraCrypt removes the volume shadow copies from the target\u2019s system, thereby preventing\u00a0the user from restoring the encrypted files. (Shadow copy is a Windows feature that helps users make backup copies\u2014snapshots\u2014of computer files or volumes.) To delete the shadow volume copies, HydraCrypt uses the command \u201cvssadmin.exe Delete Shadows \/All.\u201d This ransomware uses vssadmin to delete all the shadow volume copies on the computer.<\/p>\n

\"13\"<\/p>\n

\"14\"<\/p>\n

HydraCrypt tries to encrypt files with the following extensions:<\/p>\n

\"15\"<\/p>\n

Finally, it creates the file README_DECRYPT_HYDRA_ID_XXXXXXXX in the %Desktop% directory\u00a0and displays it\u00a0on\u00a0the victim\u2019s screen:<\/p>\n