Updated 10/15/16: Included info about the decryptor.
Since the end of September, the DXXD Ransomware has been targeting servers and encrypting their files. In the past, Michael Gillespie was able to create a decryptor based on the encrypted files that were submitted to his ID-Ransomware service, but this was short lived when the developer modified the encryption algorithm.
The good news, is that when we received the sample of DXXD, Michael Gillespie was able to create a decryptor for this new variant. This decryptor was being distributed to victims privately in order to prevent the ransomware developer from learning the weaknesses in their encryption method. If you are encrypted by the DXDD ransomware, you can register an account and reply to the DXXD Help and Support topic to receive help.
In general, there is nothing that makes this ransomware stand out other than an interesting way to display the ransom note. Typically, a ransomware will create various ransom notes and sprinkle them around the computer. In addition to this, the DXXD ransomware also modifies a Windows registry key so that it displays a ransom note before a user logs into Windows.
DXXD Ransomware displays a Ransom Note before Logging in to Windows.
When this ransomware encrypts a computer, it will append dxxd to any encrypted files and also creates ransom notes called ReadMe.txt. This ransom note contains instructions for the victims to contact rep_stosd@protonmail.com or rep_stosd@tuta.io for payment instructions. It should also be noted that this ransomware will search out and encrypt files on network shares, even if they are not mapped to the infected computer.
What is interesting about this ransomware is that it also configures a Windows Registry setting that is used to display a legal notice when people log into a computer. By configuring these registry keys, the ransomware developer knows that any a user who tries to login to the server will see the ransom note.
An example of the configured Legal Notice can be seen below.
This ransom note is shown by configuring the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText Registry values. Once these settings are configured, if a user tries to login to the computer, this message will be shown before a user sees the login prompt.
Malware developers join BC Forum to taunt Helpers
On October 6th, a few days after the encryption algorithm was changed, the developer registered an account on BlepingComputer.com to taunt the victims and researchers that he created a new version that was harder to decrypt.
When asked about his hacking into servers he claimed that he was using a new zero day vulnerability.
Based on information discovered, I believe that the ransomware developer is hacking into servers using Remote Desktop Services and brute forcing passwords. If you have been affected by the DXXD Ransomware, you should reset all the passwords for the affected machine.
What's next?
Researchers are currently analyzing the sample and looking for weaknesses. If one can be found, a decryptor will be released for free. Therefore, if anyone is affected by the DXXD Ransomware, do not pay the ransom.
Instead, please register an account and reply to the DXXD Help and Support topic so that you will be notified if a decryptor is released.
Files Associated with the DXXD Ransomware:
ReadMe.txt
Registry Entries associated with the DXXD Ransomware:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption "Microsoft Windows Security Center. Dear Administrator, Your server hacked. For more informations and recommendations, write to our experts by e-mail: rep_stosd@protonmail.com or rep_stosd@tuta.io"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText "When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software."
Email addresses associated with the DXXD Ransomware:
rep_stosd@protonmail.com
rep_stosd@tuta.io
Comments
Jman005 - 8 years ago
Any ways to prevent this?
Lawrence Abrams - 8 years ago
Strong passwords and change remote desktop port to something other than 3389
Viper_Security - 8 years ago
Seems like people who write these things can't spell or do not know their grammar. lmao
"for more informations" lolol
xXToffeeXx - 8 years ago
They are not native speakers and often use Google translate, so that is why.
Demonslay335 - 8 years ago
DXXD2 is cracked, victims may contact me for private assistance. :)
JohnnyJammer - 8 years ago
"DXXD2 is cracked, victims may contact me for private assistance. :)"
LOL Good work mate, that didnt take long.
Hope the skid sees this.
Viper_Security - 8 years ago
It normally doesn't take long when one uses someone else's ransomware haha, matter of fact, it seems like he used the ransomware as a service thing that's name has changed about twice now.
lol GJ!
Angoid - 8 years ago
Send him a PM :)
Ryan87 - 8 years ago
Good Job!! :)
horsefilms - 8 years ago
Nice work and thanks for all you do!
LeonK - 8 years ago
And if you have a TS exposed to the net, at least use TSBlock or similar to prevent brute force attacks!
kolobyte - 8 years ago
Lol... extremely easy to decrypt. I wrote a decrypter: https://github.com/eugenekolo/dxxd-decrypter
Demonslay335 - 8 years ago
We've been distributing the updated decrypter to victims in private for free since the day this article was released. Yes, it is easy to decrypt. However, we do not want the author to promptly update his code by us publicizing how it is decrypted... that is why victims have been encouraged to contact us.
atul1201 - 7 years ago
We've been infected on multiple servers...Please help!