- Oct 23, 2012
- 12,527
The group behind the Wildfire ransomware don't seem to have lost interest in the malware scene after security researchers cracked their first ransomware's encryption scheme at the end of August and destroyed their operation.
In fact, it appears that the group spent all last month working on a new version, which at the time of writing doesn't feature the same coding flaw that allowed Kaspersky and McAfee researchers to create a free decrypter.
This new version, rebranded as the Hades Locker, is distributed via spam email, courtesy of the massive Kelihos botnet.
Security researcher Michael Gillespie detected the first version of this threat on October 4 when a Hades Locker victim uploaded a copy of the ransomware's ransom note on the ID Ransomware service.
Hades Locker mimics Locky's UI
Analysis by Bleeping Computer and Proofpoint reveals a lot of similarities with the original Wildfire ransomware, except the graphical user interface, which now uses a ransom note and desktop wallpaper similar to the ones utilized by the more deadly and well-known Locky ransomware.
In fact, it appears that the group spent all last month working on a new version, which at the time of writing doesn't feature the same coding flaw that allowed Kaspersky and McAfee researchers to create a free decrypter.
This new version, rebranded as the Hades Locker, is distributed via spam email, courtesy of the massive Kelihos botnet.
Security researcher Michael Gillespie detected the first version of this threat on October 4 when a Hades Locker victim uploaded a copy of the ransomware's ransom note on the ID Ransomware service.
Hades Locker mimics Locky's UI
Analysis by Bleeping Computer and Proofpoint reveals a lot of similarities with the original Wildfire ransomware, except the graphical user interface, which now uses a ransom note and desktop wallpaper similar to the ones utilized by the more deadly and well-known Locky ransomware.
Hades Locker works by encrypting user files with an AES encryption algorithm and then appending the "~HLH6215" extension at the end of each file.
If users don't have copies or backups to restore their files, Hades Locker authors request a $600 / €500 / £400 payment in Bitcoin via a website hosted on the Dark Web, accessible only over the Tor Browser.
Hades Locker spread via the Kelihos botnet
Wildfire, previously also known as Zyklon, targeted only Dutch and Belgian users. Currently, it is unknown if Hades Locker targets users in those two countries alone, or if it has gone global.
The Kelihos botnet, used to distributed Hades Locker and Wildfire, has also been employed to spread other ransomware families such as CryptFile2 and MarsJoke. These two ransomware families have targeted local and state government agencies in the US, along with K-12 educational institutions.
