In the ever-evolving landscape of cyber threats, a new ransomware actor named ‘HelloFire’ has emerged, posing a significant risk to organizations and individuals alike.
This malicious entity is employing deceptive tactics, masquerading as a legitimate penetration tester to infiltrate systems and encrypt files, demanding a ransom for their release.
This development underscores the importance of vigilance and robust cybersecurity measures to protect against such sophisticated threats.
Masquerading As A Pentest
‘HelloFire’ distinguishes itself from traditional ransomware actors by not utilizing a conventional leak site or branding typically associated with ransomware attacks.
Instead, the ransom note provided to victims lacks uniqueness and attempts to portray the attack as a penetration testing activity.
However, the credibility of this claim is undermined by the use of specific email domains in the ransom note, such as ‘keemail.me’ and ‘onionmail.org’, which have been linked to various threat actors since 2013.
Further analysis suggests a potential Russian connection to ‘HelloFire’.
The ransomware note and the Program Database (PDB) path contain references to the word ‘hello’ in both English and Russian, hinting at the origin of the threat actors.
The encrypted files bear the extension ‘.afire’, and victims are directed to a ‘Restore.txt’ file for instructions on how to proceed.
The ransomware targets a comprehensive list of services, directories, and files, indicating a well-researched approach designed to maximize the impact on infected systems.
Technical Analysis
Technical analysis of the ‘HelloFire’ ransomware reveals that it is built as a Windows PE 32bit executable using Visual C++, with a file size of 49.5KB.
The malware was first detected on VirusTotal on March 16, 2024.
Upon execution, the ransomware acquires a cryptographic context and creates a new thread to manage the encryption routine and file discovery.
It takes steps to inhibit system recovery by deleting Windows shadow copies, stopping specific services and programs, and clearing the recycle bin.
The malware’s configuration is stored in non-encrypted blocks within the .data section of the executable, including a list of executables and services typically found on corporate machines.
This list encompasses email clients, databases, and security software, highlighting the ransomware’s focus on corporate targets.
The encryptor uses Windows APIs to identify and map local volumes and network shares, recursively processing the subdirectory tree to locate files for encryption.
Encryption Process
The encryption process involves setting the target file to ‘FILE_ATTRIBUTE_NORMAL’ and appending the ‘.afire’ extension.
The ransomware employs the Curve25519 algorithm for encryption, a method also found in the Babuk malware, indicating a possible overlap between the two encryptors.
The emergence of ‘HelloFire’ as a sophisticated and stealthy ransomware actor underscores the critical need for organizations and individuals to remain vigilant and ensure their cybersecurity measures are up to date.
With the threat landscape continuously evolving, proactive steps must be taken to safeguard against deceptive threats that leverage the guise of legitimate security testing.
Utilizing comprehensive malware protection solutions, such as Perimeter81, can provide a crucial defense against malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, all of which pose significant risks to network security and integrity.
Also Read: French Football Federation Allegedly Breach Was Massive
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
