A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.
Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.
Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.
Currently the attackers are hacking into exposed remote desktop services, and once inside, use PsExec to install the ransomware on other computers in the network. The use of PsExec is evident in the source code below, which specifically looks for the PsExec.exe and skips it from being encrypted.
As previously stated, when the attacker executes the ransomware they will provide the encryption key as a command line argument. This key is then used to encrypt files that match the following extensions with AES-256 encryption.
.001, .3fr, .3gp, .7z, .ARC, .DOT, .MYD, .MYI, .NEF, .PAQ, .SQLITE3, .SQLITEDB, .accdb, .aes, .ai, .apk, .arch00, .arw, .asc, .asf, .asm, .asp, .asset, .avi, .bar, .bay, .bc6, .bc7, .big, .bik, .biz, .bkf, .bkp, .blob, .bmp, .brd, .bsa, .cas, .cdr, .cer, .cfr, .cgm, .class, .cmd, .cpp, .cr2, .crt, .crw, .csr, .css, .csv, .d3dbsp, .das, .dazip, .db0, .dbf, .dbfv, .dch, .dcr, .der, .desc, .dif, .dip, .djv, .djvu, .dmp, .dng, .doc, .docb, .docm, .docx, .dotm, .dotx, .dwg, .dxg, .epk, .eps, .erf, .esm, .exe, .ff, .fla, .flv, .forge, .fos, .fpk, .frm, .fsh, .gdb, .gho, .gpg, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .hwp, .ibank, .ibd, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .jar, .java, .jpeg, .jpg, .js, .kdb, .kdc, .key, .kf, .lay, .lay6, .layout, .lbf, .ldf, .litemod, .log, .lrf, .ltx, .lvl, .m2, .m3u, .m4a, .map, .max, .mcgame, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mid, .mkv, .mlx, .mml, .mov, .mp3, .mpeg, .mpg, .mpqge, .mrwref, .ms11 (Security copy), .ncf, .nrw, .ntl, .ocx, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .otg, .ots, .ott, .p12, .p7b, .p7c, .pak, .pas, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkpass, .pl, .png, .ppam, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .psk, .pst, .ptx, .py, .qcow2, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rtf, .rw2, .rwl, .sav, .sb, .sc2save, .sch, .sid, .sidd, .sidn, .sie, .sis, .sldm, .sldx, .slk, .slm, .snx, .sql, .sr2, .srf, .srt, .srw, .stc, .stw, .sum, .svg, .swf, .sxc, .sxm, .sxw, .syncdb, .t12, .t13, .tar, .tar.bz2, .tar.gz, .tax, .tbk, .tgz, .tif, .tiff, .tor, .txt, .unity3d, .uot, .upk, .upx, .vbs, .vdf, .vdi, .vfs0, .vmdk, .vmx, .vob, .vpk, .vpp_pc, .vtf, .w3x, .wav, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xf, .xlc, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xlw, .xml, .xxx, .zip, .ztmp, wallet.dat
When the ransomware encrypts a file it will append the .GOTYA extension on the encrypted file's name. For example, the file test.jpg would be encrypted and renamed to test.jpg.GOTYA.
While encrypting a computer, the ransomware will create a ransom note named RECOVERY.txt in each folder that a file was encrypted. This ransom note will contain a bitcoin address, a victim ID, payment instructions, and an email address that the victim can use to contact the ransomware developer. This email address is firstname.lastname@example.org. Currently, the ransom demands are $700 in BTC for one machine or $5,000 in BTC for all the infected computers on the network.
The victim's ID is created by adding 9 to the computer name and then base64 encoding the result.
The bitcoin address included in the ransom note will be randomly selected from 1 of 14 bitcoin addresses. These bitcoin addresses are listed at the end of this article.
The good news, is that even though the encryption key is passed to the program as a command line argument, it may be possible to recover it using memory forensics.
While the encryption key is no longer hard coded into the source of the ransomware, a security consultant named Ryan and his team was able to figure out how to recover it by taking a snapshot of the active memory and searching for the command line within it.
Ryan explains in a blog post how his team used a tool called Magnet Forensics RAM Capture utility to generate a snapshot of the computer's memory and write it to disk. They then used the Volatility framework to extract the required command line information from the memory snapshot.
Victims who recover their keys in this way can use Michael's HC6 decryptor to input the key and decrypt the files.
As the attackers are targeting remote desktop servers, it is important that all servers are behind a firewall and cannot be connected to unless the user is using a VPN. If you leave a remote desktop server directly connected to the Internet, it will be hacked at some point or another.
While a good AV software and good computing habits are important for the well being of any computer, as this infection is manually installed by the attacker, it is more important to get your computer's out of their reach.
ALL YOUR FILES WERE ENCRYPTED. TO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE OR $5,000 BTC FOR ALL NETWORK ADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP AFTER PAYMENT SENT EMAIL email@example.com ALONG WITH YOUR IDENTITY: VVNFUi1QQzA5 NOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK
1JFjQ8JA6d5QYVXYijUkpx2eBFTgyz77ch 1FhvGZeUDGr4a6EshsgBr1wXpgom547wCK 1FcVZiLC6w5eARhmRhtAifyrRgudG9kfJ 1PE9ryU3Zp5k42TbQPBi6YA9tURrsPr7J9 1GgzdjARzVYvaUNNL66LQfNPqCVbfFYmKM 1M4RY6Q3vXhjtvGwRBkD2bqV9HdnJ5QSBS 1NYeBBMrHgPpbLC7ExXqCx7wzfpeUcADs6 1NYaVPJGEFzwCzYsvp5swNTDiU2so1BvKx 14QQ9RAcAMyFQWnPTWt2JedsHYG6GUupAk 1G7sCE1rSKZh4kif6a8hLU1fSn3sxg8Yp5 1B8G2L24xbn1sDbPurUNGMXwZWFgVXuYQv 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP 15PbYxKuH8KNdxzUeuXqr5VctuKQxdEPeE 19AyaPNbimiCgNbCFQ2fWCw5ArySB1SCAi