WildFire Ransomware Revived as "Hades Locker"

The actor behind WildFire, a piece of ransomware that emerged earlier this year, has decided to rebrand the malware after security researchers created a decryption tool for it.

WildFire was detailed in late August, when security researchers managed to seize control of its command and control (C&C) servers and gain access to many decryption keys. Previously, many users did pay the ransom, which was etimated to have generated around $80,000 in payments for its operators in just a month.

Although the ransomware’s C&C servers were compromised, the actors behind it haven’t been caught, and it appears that they managed to bring their creation back to life under the name of Hades Locker (Hades was the ancient Greek chthonic god of the underworld). What’s more, the new malware variant comes with improved encryption.

Once ] executed on a victim’s computer, the ransomware connects to http://ip-api(dot)com/xml for the victim’s IP address and geographic location. Next, the malware sends a unique victim ID, a tracking ID, computer name, user name, country, and victim’s IP address to one of the configured C&C servers, which in return replies with the password for the encryption process.

The victim ID is stored in the Registry, along with status information (on whether the encryption process has been completed or not). The ransomware searches mapped drives for specific file extensions and encrypts the files using AES encryption. It appends a specific extension to these files: the “.~HL” string, followed by the first 5 letters of the encryption password.

Hades Locker targets a vast variety of file types, but it skips those that contain the following strings in their file path: windows, program files, program files (x86), system volume information, and $recycle.bin. The ransomware also deletes the Shadow Volume Copies to prevent its victims from restoring their files in this manner.

The ransom note dropped on the victim’s computer includes links to the n7457xrhg5kibr2c.onion, http://pfmydcsjib(dot)ru, and http://jdybchotfn(dot)ru sites, which the victim is encouraged to access for information on the ransom amount and on how to make the payment.

When the victim connects to the payment site, they are provided with information on the amount to be paid and on the Bitcoin address the payment should be sent to, as well as with information on how to get Bitcoins. The website supposedly belongs to a company called Hades Enterprises and includes multiple pages, such as Frequently Asked Questions, test decryption, Help Desk, and Decryption Tutorial.

Related: Wildfire Ransomware Operators Made $80,000 in One Month

Related: Researchers Break Encryption of MarsJoke Ransomware

 

view counter
image
Ionut Arghire is an international correspondent for SecurityWeek.
Previous Columns by Ionut Arghire:
Tags:
Original author: Ionut Arghire