A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.

Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November.  As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.

Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.

Attackers spreading HC7 Ransomware in network using PsExec

Currently the attackers are hacking into exposed remote desktop services, and once inside, use PsExec to install the ransomware on other computers in the network. The use of PsExec is evident in the source code below, which specifically looks for the PsExec.exe and skips it from being encrypted.

Finding Files to Encrypt Source Code
Finding Files to Encrypt Source Code

As previously stated, when the attacker executes the ransomware they will provide the encryption key as a command line argument.  This key is then used to encrypt files that match the following extensions with AES-256 encryption.

.001, .3fr, .3gp, .7z, .ARC, .DOT, .MYD, .MYI, .NEF, .PAQ, .SQLITE3, .SQLITEDB, .accdb, .aes, .ai, .apk, .arch00, .arw, .asc, .asf, .asm, .asp, .asset, .avi, .bar, .bay, .bc6, .bc7, .big, .bik, .biz, .bkf, .bkp, .blob, .bmp, .brd, .bsa, .cas, .cdr, .cer, .cfr, .cgm, .class, .cmd, .cpp, .cr2, .crt, .crw, .csr, .css, .csv, .d3dbsp, .das, .dazip, .db0, .dbf, .dbfv, .dch, .dcr, .der, .desc, .dif, .dip, .djv, .djvu, .dmp, .dng, .doc, .docb, .docm, .docx, .dotm, .dotx, .dwg, .dxg, .epk, .eps, .erf, .esm, .exe, .ff, .fla, .flv, .forge, .fos, .fpk, .frm, .fsh, .gdb, .gho, .gpg, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .hwp, .ibank, .ibd, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .jar, .java, .jpeg, .jpg, .js, .kdb, .kdc, .key, .kf, .lay, .lay6, .layout, .lbf, .ldf, .litemod, .log, .lrf, .ltx, .lvl, .m2, .m3u, .m4a, .map, .max, .mcgame, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mid, .mkv, .mlx, .mml, .mov, .mp3, .mpeg, .mpg, .mpqge, .mrwref, .ms11 (Security copy), .ncf, .nrw, .ntl, .ocx, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .otg, .ots, .ott, .p12, .p7b, .p7c, .pak, .pas, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkpass, .pl, .png, .ppam, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .psk, .pst, .ptx, .py, .qcow2, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rtf, .rw2, .rwl, .sav, .sb, .sc2save, .sch, .sid, .sidd, .sidn, .sie, .sis, .sldm, .sldx, .slk, .slm, .snx, .sql, .sr2, .srf, .srt, .srw, .stc, .stw, .sum, .svg, .swf, .sxc, .sxm, .sxw, .syncdb, .t12, .t13, .tar, .tar.bz2, .tar.gz, .tax, .tbk, .tgz, .tif, .tiff, .tor, .txt, .unity3d, .uot, .upk, .upx, .vbs, .vdf, .vdi, .vfs0, .vmdk, .vmx, .vob, .vpk, .vpp_pc, .vtf, .w3x, .wav, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xf, .xlc, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xlw, .xml, .xxx, .zip, .ztmp, wallet.dat

When the ransomware encrypts a file it will append the .GOTYA extension on the encrypted file's name. For example, the file test.jpg would be encrypted and renamed to test.jpg.GOTYA.

Encrypted Folder of GOTYA Files
Encrypted Folder of Encrypted GOTYA Files

While encrypting a computer, the ransomware will create a ransom note named RECOVERY.txt in each folder that a file was encrypted. This ransom note will contain a bitcoin address, a victim ID, payment instructions, and an email address that the victim can use to contact the ransomware developer. This email address is m4zn0v@keemail.me. Currently, the ransom demands are $700 in BTC for one machine or $5,000 in BTC for all the infected computers on the network.

Ransom Note
Caption

The victim's ID is created by adding 9 to the computer name and then base64 encoding the result.

Generating the Victim ID
Generating the Victim ID

The bitcoin address included in the ransom note will be randomly selected from 1 of  14 bitcoin addresses. These bitcoin addresses are listed at the end of this article.

The good news, is that even though the encryption key is passed to the program as a command line argument, it may be possible to recover it using memory forensics.

Recovering the encryption key through a memory forensics

While the encryption key is no longer hard coded into the source of the ransomware, a security consultant named Ryan and his team was able to figure out how to recover it by taking a snapshot of the active memory and searching for the command line within it.

Extracted Command Line Arguments
Extracted Command Line Arguments
Source: https://yrz.io/decrypting-hc7/

Ryan explains in a blog post how his team used a tool called Magnet Forensics RAM Capture utility to generate a snapshot of the computer's memory and write it to disk. They then used the Volatility framework to extract the required command line information from the memory snapshot.

Victims who recover their keys in this way can use Michael's HC6 decryptor to input the key and decrypt the files.

How to protect yourself from HC7 Ransomware

As the attackers are targeting remote desktop servers, it is important that all servers are behind a firewall and cannot be connected to unless the user is using a VPN. If you leave a remote desktop server directly connected to the Internet, it will be hacked at some point or another.

While a good AV software and good computing habits are important for the well being of any computer, as this infection is manually installed by the attacker, it is more important to get your computer's out of their reach.

IOCs

Hashes:

81a0ecf7ebec8f86d8042e3a3dbd756f6b8992c6cf3b4f94a9026d0192153b85

Files:

RECOVERY.txt

Email Addresses:

m4zn0v@keemail.me

Ransom Note:

ALL YOUR FILES WERE ENCRYPTED. 
TO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE
OR $5,000 BTC FOR ALL NETWORK
ADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP
AFTER PAYMENT SENT EMAIL m4zn0v@keemail.me
ALONG WITH YOUR IDENTITY: VVNFUi1QQzA5
NOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK

Bitcoin Addresses:

1JFjQ8JA6d5QYVXYijUkpx2eBFTgyz77ch
1FhvGZeUDGr4a6EshsgBr1wXpgom547wCK
1FcVZiLC6w5eARhmRhtAifyrRgudG9kfJ
1PE9ryU3Zp5k42TbQPBi6YA9tURrsPr7J9
1GgzdjARzVYvaUNNL66LQfNPqCVbfFYmKM
1M4RY6Q3vXhjtvGwRBkD2bqV9HdnJ5QSBS
1NYeBBMrHgPpbLC7ExXqCx7wzfpeUcADs6
1NYaVPJGEFzwCzYsvp5swNTDiU2so1BvKx
14QQ9RAcAMyFQWnPTWt2JedsHYG6GUupAk
1G7sCE1rSKZh4kif6a8hLU1fSn3sxg8Yp5
1B8G2L24xbn1sDbPurUNGMXwZWFgVXuYQv
15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP
15PbYxKuH8KNdxzUeuXqr5VctuKQxdEPeE
19AyaPNbimiCgNbCFQ2fWCw5ArySB1SCAi