Hydracrypt Ransomware Analysis
On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be less sophisticated than Cryptolocker, CTB-Locker or Cryptowall, but it’s certainly not less dangerous.
Currently HydraCrypt ransomware is still undetected by every major Antivirus except QiHoo-360.
So pay attention to spam emails if you’re running a traditional security software.
Hydracrypt Ransomware Behaviour
HydraCrypt ransomware doesn’t appear to use any kind of UAC bypass or privilege escalation of sort, indeed a UAC prompts soon after running the application.
As soon as the encryption process starts, HydraCrypt phones home and retrieves the ransomware image that will be shown later on, this is possibly a way for the authors to check on the infections and to update the email address shown when needed.
We’ve only identified one domain called during our tests that is: drivers-softprotect.eu. The image last modification date gives an indication that this ransomware is active at least since the 28th of January 2016. While the call to home takes place, the encryption process begins, the amount of resources encrypted is vast and it includes basically every extension with the exclusion of system files like .exe, .dll and .sys. Even the recycle bin content and system backups are encrypted:
After the encryption process is completed, the usual Ransom screen appears with instructions on how to decrypt the data.
The decryption process requires an external application, an approach similar to other ransomware like Chimera, only this time you’ll have to manually contact the authors, failure to do so will cost your data and apparently the authors are threatening to also sell your documents on the “Dark Markets”. At this point HydraCrypt calls home again communicating to the server the ID of the current infection.
What’s interesting, other than the fact that the malware appears to be written in MFC, is that a big section of it is clearly obfuscated with what appears to be something similar to MoVfuscator.
About 49% of the whole code is in fact just MOVs. We didn’t yet attempt any deobfuscation on that part of the code.
All of our customers using ReaQta-core are already protected and no updates are required, the A.I. engines correctly detect and block the infection attempt, additionally any data policy already in place will provide further protection against this or any other ransomware family.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!