Hello XD ransomware
has been updated to include a new encryptor with algorithm modifications and custom packing to further evade detection, according to BleepingComputer
.Palo Alto Networks' Unit 42 reported that the newest Hello XD ransomware version involves the inclusion of an onion site link in its ransom note, which has been offline so far. Execution of Hello XD does not only deactivate shadow copies and encrypt files, which have been appended with the .hello extension, but also triggers the MicroBackdoor open-source backdoor, which enables file exfiltration and command execution, the report showed.
Moreover, two obfuscation layers have been discovered in the custom packer, while using the Rabbit Cipher and Curve25519-Donna encryption algorithm instead of modified HC-128 and Curve25519-Donna. Unit 42 researchers also found that Russian threat actor dubbed "X4KME" who has spread Cobalt Strike beacons, various proof-of-concept exploits, custom Kali Linux distributions, and crypter services was behind the updated Hello XD ransomware.