DXXD ransomware developer mocks researchers by making malware undecryptable

DXXD's ransom note in place of legal notice

Back in September, a ransomware variant called DXXD was found targeting servers and then encrypting files. To the relief of those who were affected, security researcher Michael Gillespie was able to analyze the malware, and eventually release a decryptor software. However, the ransomware developer quickly saw this act, and modified the algorithm of the program to making it unable to be decrypted.

The DXXD ransomware isn't really anything special; if a system is infected, it will append a 'dxxd' file extension to every file affected. For instance, a file called 'hyacinth.jpg' will become 'hyacinth.jpgdxxd' upon encryption. It will lock up every file it can find on the computer, and this includes network shares. It will only leave a file named 'ReadMe.TxT,' which contains instructions on contacting the developers via email to know how to pay them.

But what sets this crypto-malware apart from others is that it modifies a Windows Registry setting that is used to display a legal notice when users log in to the computer, and replaces it with their own ransom note. At this point, once this is configured, the malware developer knows that every time a user tries to log in, they will surely see their intended message.

However, it seems that the DXXD ransomware developers were still not done with their mission. They also took the time to register for an account at computer security website Bleeping Computer to taunt the victims, especially those security researchers who were attempting to decrypt the malware. The developer stated that they have now developed a newer version that was harder to crack, and claims that they have used a zero-day vulnerability.

It was analyzed that the developer is hacking into servers by using Remote Desktop Access, and brute-forcing passwords. While there is still no available software to decrypt the new version of DXXD, it is advised to reset passwords for all affected machines.

Back in August, a ransomware variant called 'FairWare' was seen attacking Linux web servers, by deleting every file. The developers then demand money, or the files will be leaked onto the internet.

Source and Image: Bleeping Computer via Graham Cluley

Report a problem with article
Next Article

HP launches gaming PC and HTC Vive bundle for discounted price

Previous Article

Apple rolls out watchOS 3.1 Developer Beta 3

9 Comments - Add comment