Beware of New ‘HelloFire’ Ransomware Actor Mimic as a Pentester

A new threat is the emergence of a ransomware encryptor dubbed ‘HelloFire.’

This new player in the cybercrime arena is employing deceptive tactics to disguise its malicious intent as legitimate penetration testing activities.

Here’s what you need to know about this emerging threat.

Masquerading as a Pentest

The ‘HelloFire’ ransomware is a recent addition to the cyber threat environment, notable for its lack of a traditional leak site or the usual ransomware branding.

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

• The problem of vulnerability fatigue today
• Difference between CVSS-specific vulnerability vs risk-based vulnerability
• Evaluating vulnerabilities based on the business impact/risk
• Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

Book Your spot

The ransom note, which lacks uniqueness in its wording, clearly indicates that the threat actor poses as a pentester—a tactic previously seen with other cybercriminals.

However, the use of specific email domains in the ransom note, such as ‘keemail. me’ and ‘onionmail.org’, undermine the credibility of the attack as a legitimate pentest.

These domains have been associated with various threat actors since as far back as 2013.

ShadowStackRE recently shared a blog post regarding the emergence of a new threat landscape called hellfire Ransomware.

Potential Russian Threat Actor

The ransomware note and the PDB (Program Database) path contain references to the word ‘hello’ in both English and Russian (‘Zdravstvuy’), suggesting a potential Russian connection.

The encrypted files have the extension ‘.afire’, and the ransom note is in a ‘Restore.txt’ file.

‘HelloFire’ has a comprehensive list of services, directories, and files that it targets, indicating a well-researched approach to maximize the impact on infected systems.

Technical Analysis

Build Information

The encryptor is built as a Windows PE 32bit executable using Visual C++ and has a file size of 49.5KB.

It was first detected on VirusTotal on March 16, 2024, with the SHA256 hash:3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b. 

Program Flow

The ransomware begins by acquiring a cryptographic context and uses the Windows API to handle the random number generator.

 It then inhibits system recovery by deleting Windows shadow copies, stopping a list of services and programs, and clearing the recycle bin.

A new thread is created to manage the encryption routine and file discovery, which includes enumerating volume drives and file shares connected to the target machine.

Inhibiting System Recovery

The malware dynamically obtains a handle to ‘kernel32.dll’ to disable WoW64 FS redirection and ensure that commands are executed correctly.

It uses ‘vssadmin.exe’ to delete Windows shadow copies, a common ransomware tactic quickly identified by many EDR or behavioral analysis systems.

Configuration

The configuration is stored in non-encrypted blocks within the .data section of the executable.

It includes a list of executables and services typically found on corporate machines, such as email clients, databases, and security software like Sophos.

The file and directory listings are also included, essential for the encryptor to avoid destabilizing the system before completing the encryption routine.

File and Directory Discovery

The encryptor uses Windows APIs to identify and map local volumes and network shares.

It then recursively processes the subdirectory tree to locate files for encryption.

Encryption Process

The encryption thread sets the target file to ‘FILE_ATTRIBUTE_NORMAL’ and appends the ‘.afire’ extension.

It uses the restart manager APIs to ensure other processes do not lock files.

The Curve25519 algorithm is used for encryption, and it is commonly found in Babuk malware, indicating a clear overlap between the two encryptors.

The ‘HelloFire’ ransomware represents a sophisticated and stealthy threat that leverages the guise of legitimate security testing to carry out its attacks.

Organizations and individuals should be vigilant and ensure that their cybersecurity measures are up to date to protect against such deceptive threats.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.