Threat Signal Report

Ransomware Roundup – 2022/06/16

description-logo Description

FortiGuard Labs has become aware of several ransomware strains that caught the public's attention for the week of June 13th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Nyx, Solidbit, RobbinHood and HelloXD ransomware along with the Fortinet protections against them.



What is Nyx ransomware?

Nyx is a double-extortion ransomware that was recently discovered. It steals data from the victim and encrypts files on the compromised machine and then demands a ransom from the victim in exchange for file recovery and not leaking the stolen information to the public. It leaves a ransom note in a file called READ_ME.txt that includes the victim's unique ID, the attacker's contact email address as well as secondary email address which the victim should use in case the attacker did not respond within 48 hours of the first email being sent to the attacker.



Nyx ransomware's ransom note


The ransomware adds the following file extension to the files it encrypts:

[victim's unique ID].[the attacker's primary contact email].NYX



Files encrypted by Nyx ransomware


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against Nyx ransomware:

W32/Filecoder.NHQ!tr.ransom



What is Solidbit ransomware?

Solidbit is a ransomware that encrypts files on the compromised machine and demands a ransom from the victim for file recovery.


Solidbit ransomware's lock screen

Solidbit ransomware drops a ransom note in a file named RESTORE-MY-FILES.txt, which includes Solidbit's own TOR site where the victim is asked to visit to contact the attacker along with the decryption ID.



Solidbit ransomware's ransom note


The TOR site offers free decryption of a file (up to a maximum file size of 1MB) to prove that decryption works properly. The Solidbit threat actor also provides chat support for victims.


Solibit ransomware's TOR site


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against Solidbit ransomware:

MSIL/Filecoder.APU!tr.ransom



What is RobbinHood ransomware?

RobbinHood is a ransomware has been in the wild since at least 2019. This ransomware is covered in this week's ransomware roundup given a report recently surfaced that it was responsible for infecting an auto parts manufacture in February, 2022 which resulted in shutdown of the factories.

Written in Golang, RobbinHood is a simple ransomware that encrypts files on the compromised machine and demands ransom for decrypting the affected files. A typical ransom note left behind by RobbinHood ransomware has the attacker's bitcoin address and asks the victim to pay the ransom within 3 to 4 days depending on the ransomware variant. The attacker warns that the ransom amount increases by $10,000 each day if the payment is not made during the specified window. However, some RobbinHood ransom notes state that the victim's keys will be removed after 10 days. This makes file recovery impossible in order to add pressure to the victim to pay the ransom. Also, the attacker asks the victim not to contact law enforcement or security vendors.

Known file extensions that RobbinHood ransomware adds to encrypted files include ".enc_robbin_hood" and ".rbhd".

It also deletes shadow copies, which makes file recovery difficult.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against RobbinHood ransomware:

W32/Robin.AB!tr.ransom
W32/Robin.A!tr
W32/RobbinHood.A!tr.ransom
W32/RobbinHood.A!tr
W32/Ransom_Win32_ROBBINHOOD.SM
W32/Filecoder_RobbinHood.D!tr.ransom
W32/Filecoder_RobbinHood.D!tr
W32/Filecoder_RobbinHood.C!tr
W32/Filecoder_RobbinHood.B!tr.ransom
W32/Filecoder_RobbinHood.B!tr
W32/Filecoder_RobbinHood.A!tr



What is HelloXD ransomware?

HelloXD is a ransomware that targets both Windows and Linux systems. The ransomware has been in the field since at least November 2021 and typically comes with a logo having a red face with horns.



HelloXD ransomware logo


In order to inhibit file recovery, it deletes shadow copies before encrypting files. After files are encrypted, it drops a ransom note named "Hello.txt"., This contains a unique personal ID for the victim, Tox chat ID to contact the attacker as well as instruction to download and install Tox. The note also states that a ransom payment needs to be made within 96 hours of the infection or else the ransom amount will increase. Files that were encrypted by HelloXD have a ".hello" file extension.

Some of the HelloXD ransomware samples reportedly deploy MicroBackdoor, an open-source backdoor to the compromised machine. The backdoor allows the attackers to keep foothold in the victim's machine and will not likely be removed from the victim's machine even if a ransom payment is made.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against HelloXD ransomware:


W32/Filecoder_Hello.C!tr
W64/Filecoder_Hello.C!tr
W64/Filecoder_Hello.A!tr.ransom
MSIL/Filecoder.2362!tr.ransom
W32/GenKryptik.FPIJ!tr
W64/CoinMiner.EJER!tr
W32/PossibleThreat



Anything Else to Note?

Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory.

Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.