Updated 10/15/16: Included info about the decryptor.

Since the end of September, the DXXD Ransomware has been targeting servers and encrypting their files. In the past, Michael Gillespie was able to create a decryptor based on the encrypted files that were submitted to his ID-Ransomware service, but this was short lived when the developer modified the encryption algorithm.

The good news, is that when we received the sample of DXXD, Michael Gillespie was able to create a decryptor for this new variant. This decryptor was  being distributed to victims privately in order to prevent the ransomware developer from learning the weaknesses in their encryption method. If you are encrypted by the DXDD ransomware, you can register an account and reply to the DXXD Help and Support topic to receive help.

In general, there is nothing that makes this ransomware stand out other than an interesting way to display the ransom note. Typically, a ransomware will create various ransom notes and sprinkle them around the computer. In addition to this, the DXXD ransomware also modifies a Windows registry key so that it displays a ransom note before a user logs into Windows.

DXXD Ransomware displays a Ransom Note before Logging in to Windows.

When this ransomware encrypts a computer, it will append dxxd to any encrypted files and also creates ransom notes called ReadMe.txt. This ransom note contains instructions for the victims to contact rep_stosd@protonmail.com or rep_stosd@tuta.io for payment instructions. It should also be noted that this ransomware will search out and encrypt files on network shares, even if they are not mapped to the infected computer.

Encrypted Files

What is interesting about this ransomware is that it also configures a Windows Registry setting that is used to display a legal notice when people log into a computer.  By configuring these registry keys, the ransomware developer knows that any a user who tries to login to the server will see the ransom note. 

An example of the configured Legal Notice can be seen below.

DXXD Legal Notice
DXXD Legal Notice

This ransom note is shown by configuring the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText Registry values.  Once these settings are configured, if a user tries to login to the computer, this message will be shown before a user sees the login prompt.

Malware developers join BC Forum to taunt Helpers

On October 6th, a few days after the encryption algorithm was changed, the developer registered an account on BlepingComputer.com to taunt the victims and researchers that he created a new version that was harder to decrypt.

When asked about his hacking into servers he claimed that he was using a new zero day vulnerability.

Based on information discovered, I believe that the ransomware developer is hacking into servers using Remote Desktop Services and brute forcing passwords. If you have been affected by the DXXD Ransomware, you should reset all the passwords for the affected machine.

What's next?

Researchers are currently analyzing the sample and looking for weaknesses. If one can be found, a decryptor will be released for free. Therefore, if anyone is affected by the DXXD Ransomware, do not pay the ransom.

Instead, please register an account and reply to the DXXD Help and Support topic so that you will be notified if a decryptor is released.


Files Associated with the DXXD Ransomware:

ReadMe.txt

Registry Entries associated with the DXXD Ransomware:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption	"Microsoft Windows Security Center. Dear Administrator, Your server hacked. For more informations and recommendations, write to our experts by e-mail: rep_stosd@protonmail.com or rep_stosd@tuta.io"	

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText	"When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software."

Email addresses associated with the DXXD Ransomware:

rep_stosd@protonmail.com
rep_stosd@tuta.io