Palo Alto Networks‘ Unit42 stated that they have been observing a new ransomware family that surfaced in November of 2021. Unit42 stated that the ransomware performs double extortion attacks and is capable of impacting both Windows and Linux systems. The ransomware family doesn’t have an active leak site, they prefer contacting the victim directly to negotiate through TOX chat and onion-based messenger instances.
MicroBackdoor
Unit42’s analysis showed that the obfuscation and execution from this ransomware family include similar core functionality to the leaked Babuk/Babyk source code. Unit42 stated that one of the samples deploys MicroBackdoor, which is an open-source backdoor allowing the attacker to browse the file system, upload and download files, execute commands, and remove itself from the system. It allows attackers to monitor the progress and offers an additional foothold in the system.
When Unit42 analyzed the MicroBackdoor sample, the team observed the configuration and found an embedded IP address that belongs to the threat actor, which is believed to be the developer: x4k, also known as L4ckyguy, unKn0wn, unk0w, _unkn0wn and x4kme. Unit 42 has observed x4k in various hacking and non-hacking forums, which has linked the threat actor to additional malicious activity such as:
- Cobalt Strike Beacon deployment.
- Selling proof-of-concept (PoC) exploits.
- Crypter services.
- Developing custom Kali Linux distros.
- Hosting and distributing malware.
- Deployment of malicious infrastructure.
Unit42 said,
« Unit 42 research encountered HelloXD, a ransomware family in its initial stages, but already intending to impact organizations. While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k. This threat actor is well known on various hacking forums, and seems to be of Russian origin. Unit 42 was able to uncover additional x4k activity being linked to malicious infrastructure, and additional malware besides the initial ransomware sample, going back to 2020.
Ransomware is a lucrative operation if done correctly. Unit 42 has observed ransom demands and average payments going up in the latest Ransomware Threat Report. Unit 42 believes that x4k, this threat actor, is now expanding into the ransomware business to capitalize on some of the gains other ransomware groups are making. »