HDDCryptor ransomware uses legit, off the shelf software
The ransomware depends on several legit pieces of software to work.
HDDCryptor is a ransomware variant with a couple of new twists added that makes it an effective tool for cybercriminals, a Trend Micro study found.
HDDCryptor, detected as Ransom_HDDCRYPTOR.A, uses a combination legitimate and illegitimate tools to lock up not only a PC, but any attach storage drive, wrote trend researchers Stephen Hilt and William Gamazo Sanchez. Two of the legal pieces of software used are Netpass and DiskCryptor. The former grabs all network passwords stored on the system, which are then used to grab and encrypt networked folders, and the latter encrypts the files.
“It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine's normal log-in screen,” the researchers said, adding he DiskCryptor version used is two years old, but still quite effective.
What Trend found particularly interesting is how easy this malware was to put together by simply using some off the shelf, legal tools.