Cyber Security News

Beware of New ‘HelloFire’ Ransomware Actor Mimic as a Pentester

A new threat is the emergence of a ransomware encryptor dubbed ‘HelloFire.’

This new player in the cybercrime arena is employing deceptive tactics to disguise its malicious intent as legitimate penetration testing activities.

Here’s what you need to know about this emerging threat.

Masquerading as a Pentest

The ‘HelloFire’ ransomware is a recent addition to the cyber threat environment, notable for its lack of a traditional leak site or the usual ransomware branding.


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The ransom note, which lacks uniqueness in its wording, clearly indicates that the threat actor poses as a pentester—a tactic previously seen with other cybercriminals.

However, the use of specific email domains in the ransom note, such as ‘keemail. me’ and ‘’, undermine the credibility of the attack as a legitimate pentest.

These domains have been associated with various threat actors since as far back as 2013.

ShadowStackRE recently shared a blog post regarding the emergence of a new threat landscape called hellfire Ransomware.

Potential Russian Threat Actor

The ransomware note and the PDB (Program Database) path contain references to the word ‘hello’ in both English and Russian (‘Zdravstvuy’), suggesting a potential Russian connection.

The encrypted files have the extension ‘.afire’, and the ransom note is in a ‘Restore.txt’ file.

‘HelloFire’ has a comprehensive list of services, directories, and files that it targets, indicating a well-researched approach to maximize the impact on infected systems.

Technical Analysis

Build Information

The encryptor is built as a Windows PE 32bit executable using Visual C++ and has a file size of 49.5KB.

It was first detected on VirusTotal on March 16, 2024, with the SHA256 hash:3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b. 

The sample was first seen in VirusTotal on 2024-03-16

Program Flow

The ransomware begins by acquiring a cryptographic context and uses the Windows API to handle the random number generator.

A new thread will be created to handle the encryption routine and file discovery.

 It then inhibits system recovery by deleting Windows shadow copies, stopping a list of services and programs, and clearing the recycle bin.

A new thread is created to manage the encryption routine and file discovery, which includes enumerating volume drives and file shares connected to the target machine.

File shares that are connected to the target machine.

Inhibiting System Recovery

The malware dynamically obtains a handle to ‘kernel32.dll’ to disable WoW64 FS redirection and ensure that commands are executed correctly.

It uses ‘vssadmin.exe’ to delete Windows shadow copies, a common ransomware tactic quickly identified by many EDR or behavioral analysis systems.


The configuration is stored in non-encrypted blocks within the .data section of the executable.

Executable List

It includes a list of executables and services typically found on corporate machines, such as email clients, databases, and security software like Sophos.

The file and directory listings are also included, essential for the encryptor to avoid destabilizing the system before completing the encryption routine.

File and Directory Discovery

The encryptor uses Windows APIs to identify and map local volumes and network shares.

It then recursively processes the subdirectory tree to locate files for encryption.

Encryption Process

The encryption thread sets the target file to ‘FILE_ATTRIBUTE_NORMAL’ and appends the ‘.afire’ extension.

It uses the restart manager APIs to ensure other processes do not lock files.

The Curve25519 algorithm is used for encryption, and it is commonly found in Babuk malware, indicating a clear overlap between the two encryptors.

The ‘HelloFire’ ransomware represents a sophisticated and stealthy threat that leverages the guise of legitimate security testing to carry out its attacks.

Organizations and individuals should be vigilant and ensure that their cybersecurity measures are up to date to protect against such deceptive threats.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Hackers Exploiting Docusign With Phishing Attack To Steal Credentials

Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…

18 hours ago

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…

2 days ago

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…

2 days ago

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…

2 days ago

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…

3 days ago

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…

3 days ago