Friday, May 24, 2024

Beware of New ‘HelloFire’ Ransomware Actor Mimic as a Pentester

A new threat is the emergence of a ransomware encryptor dubbed ‘HelloFire.’

This new player in the cybercrime arena is employing deceptive tactics to disguise its malicious intent as legitimate penetration testing activities.

Here’s what you need to know about this emerging threat.

Masquerading as a Pentest

The ‘HelloFire’ ransomware is a recent addition to the cyber threat environment, notable for its lack of a traditional leak site or the usual ransomware branding.


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The ransom note, which lacks uniqueness in its wording, clearly indicates that the threat actor poses as a pentester—a tactic previously seen with other cybercriminals.

However, the use of specific email domains in the ransom note, such as ‘keemail. me’ and ‘’, undermine the credibility of the attack as a legitimate pentest.

These domains have been associated with various threat actors since as far back as 2013.

ShadowStackRE recently shared a blog post regarding the emergence of a new threat landscape called hellfire Ransomware.

Potential Russian Threat Actor

The ransomware note and the PDB (Program Database) path contain references to the word ‘hello’ in both English and Russian (‘Zdravstvuy’), suggesting a potential Russian connection.

The encrypted files have the extension ‘.afire’, and the ransom note is in a ‘Restore.txt’ file.

‘HelloFire’ has a comprehensive list of services, directories, and files that it targets, indicating a well-researched approach to maximize the impact on infected systems.

Technical Analysis

Build Information

The encryptor is built as a Windows PE 32bit executable using Visual C++ and has a file size of 49.5KB.

It was first detected on VirusTotal on March 16, 2024, with the SHA256 hash:3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b. 

The sample was first seen in VirusTotal on 2024-03-16
The sample was first seen in VirusTotal on 2024-03-16

Program Flow

The ransomware begins by acquiring a cryptographic context and uses the Windows API to handle the random number generator.

A new thread will be created to handle the encryption routine and file discovery.
A new thread will be created to handle the encryption routine and file discovery.

 It then inhibits system recovery by deleting Windows shadow copies, stopping a list of services and programs, and clearing the recycle bin.

A new thread is created to manage the encryption routine and file discovery, which includes enumerating volume drives and file shares connected to the target machine.

File shares that are connected to the target machine.
File shares that are connected to the target machine.

Inhibiting System Recovery

The malware dynamically obtains a handle to ‘kernel32.dll’ to disable WoW64 FS redirection and ensure that commands are executed correctly.

It uses ‘vssadmin.exe’ to delete Windows shadow copies, a common ransomware tactic quickly identified by many EDR or behavioral analysis systems.


The configuration is stored in non-encrypted blocks within the .data section of the executable.

Executable List
Executable List

It includes a list of executables and services typically found on corporate machines, such as email clients, databases, and security software like Sophos.

The file and directory listings are also included, essential for the encryptor to avoid destabilizing the system before completing the encryption routine.

File and Directory Discovery

The encryptor uses Windows APIs to identify and map local volumes and network shares.

It then recursively processes the subdirectory tree to locate files for encryption.

Encryption Process

The encryption thread sets the target file to ‘FILE_ATTRIBUTE_NORMAL’ and appends the ‘.afire’ extension.

It uses the restart manager APIs to ensure other processes do not lock files.

The Curve25519 algorithm is used for encryption, and it is commonly found in Babuk malware, indicating a clear overlap between the two encryptors.

The ‘HelloFire’ ransomware represents a sophisticated and stealthy threat that leverages the guise of legitimate security testing to carry out its attacks.

Organizations and individuals should be vigilant and ensure that their cybersecurity measures are up to date to protect against such deceptive threats.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles