Malware News DXXD Ransomware Shows Ransom Note Using Windows Legal Notice Screen

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A new ransomware that goes by the name of DXXD uses the Windows Legal Notice screen to show a ransom note even before the user logs on his computer.

The Windows Legal Notice screen is an intermediary screen that appears before the Windows login form and as its name hints, is there for the purpose of showing various types of legal notices and other messages before a user can use the PC.

This is the first time a ransomware author has used the Legal Notice screen to show a ransom note, but won't be the last.

A very efficient way of delivering a ransom note
While users can dismiss the notice by pressing the "Ok" button, the screen does its job and gets the user's attention.

Users that encounter these screens and then log on their computers will find some of their files encrypted by the DXXD ransomware, a new threat that appeared towards the end of September.

Besides the obvious Legal Notice message, which appears because the ransomware added two registry keys to infected Windows PC, spotting the DXXD ransomware is easy because it appends the "dxxd" string to all of the user's encrypted files, with a file like "photo.png" becoming "photo.pngdxxd."

DXXD 2.0 released after researchers cracked the first version
DXXD is already at version 2.0 after security researcher Michael Gillespie cracked the ransomware at the start of the month and released a free decrypter on the Bleeping Computer forums.

Following the release of this tool, the author of the DXXD ransomware created a new ransomware version, which fixed the encryption flaw that allowed the decrypter to work.

In fact, the ransomware's author has created an account on the Bleeping Computer forums so he can taunt Gillespie that he defeated his decrypter. The author of the Apocalypse ransomware joined in taunting the researcher, showing his support for a fellow crook.

DXXD author claims he's in possession of a Windows 0-day
The DXXD author also tried to throw researchers off his tracks by claiming he infects computers using a zero-day RCE exploit that affects all Windows versions released between 1995 and 2016.


DXXD author posts on Bleeping Computer forums
This is highly unlikely, and a zero-day like this would be valued at millions of dollars, and most likely used for something more heinous than just installing shoddy ransomware.

Lawrence Abrams, Bleeping Computer founder, didn't buy in on this false flag. "Based on information discovered, I believe that the ransomware developer is hacking into servers using Remote Desktop Services and brute forcing passwords," Abrams says. "If you have been affected by the DXDD Ransomware, you should reset all the passwords for the affected machine."

Currently, there's no way to decrypt files locked by the DXXD 2.0 version. This is because researchers haven't had the opportunity to take a look at the source code of the DXXD 2.0 version just yet.

Victims of the DXXD ransomware are advised to not pay the ransom since researchers suspect they might be able to crack this version as well. Victims should get in contact with Gillespie or Abrams via the DXXD ransomware support topic on the Bleeping Computer forums.



Click to expand...
 
  • Like
Reactions: Dirk41, shukla44, askmark and 5 others
W

Wave

The DXXD author also tried to throw researchers off his tracks by claiming he infects computers using a zero-day RCE exploit that affects all Windows versions released between 1995 and 2016.
Click to expand...
I stopped believing/reading when I read this part - that is a pretty old vulnerability to be in an OS which has been in-development for so long. Windows 2000 was released on December 15 1999 and that introduced essentially what you can call "huge components" into Windows... It would have been more believable for the malware author to claim the vulnerability affected all Windows versions from Windows 2000 - Windows 10 as opposed to "all Windows versions related between 1995 and 2016"... And a lot has been re-implemented since then anyway.

Of course the malware author could have scrambled through the 15% of the Windows 2000 source code which was leaked back in 2004 but I highly doubt he would be able to do this - 15% is a lot of code considering the 100% was over 100 million lines of code and even if he had the time and dedication to do this to help him find potential vulnerabilities which still have not been fixed even today, I doubt he'd have the actual skill to implement them himself... (and consider all the new re-implementations, patch updates and newly introduced Windows features since then - the chances of what he is saying being true is very small).

He's most likely just talking complete rubbish. No, forget what I just said... He is definitely talking rubbish, guaranteed... Not most likely!

Give it some time and AV vendors will be able to implement dynamic identification for his ransomware (depending on the circumstances). For example, make an identification system based on the API call execution order (and parameter values) or just dynamically blocking access to do specific actions (such as abuse usage of the Windows Legal Notice Screen - reverse engineer the malicious sample to discover how he is doing it and then protect against it dynamically - via BB/HIPS features and the such).

Damn, this guy must be really knowledgeable... If he knew what he was really doing then there wouldn't have been a working existent decrypter for the encrypted files in the first place for his previous version/s of the ransomware.

When the researchers responsible for the first decryption program get hold of the new sample/s, they'll reverse engineer the samples and then find a way to reverse the encryption (unless the author has done things properly this time which hopefully he hasn't for the sake of the victims of the new ransomware release - but I doubt this will be the case because he is probably just a script kiddie fool).

@LabZero @DardiM
 
  • Like
Reactions: frogboy, shukla44, askmark and 4 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

"DXXD author claims he's in possession of a Windows 0-day"
That is right that it seems strange :rolleyes:
I really don't imagine a real "hacker" with this "Windows 0-day" create an account to claim that info...
It just seems a person ashamed because its first tool was defeated :D
 
  • Like
Reactions: frogboy, shukla44, Wave and 4 others
L

LabZero

Interesting the implementation of the ransom warning and funny enough the story of the old zero-day vulnerability.
For the rest, according to the analysis, it is a normal ransomware, nothing exceptional.
It seems that the malc0der is not just a genius, because, yes, if what he says were true, he would have earned much more money by sharing his discovery.:rolleyes:
 
  • Like
Reactions: Der.Reisende, DardiM, shukla44 and 2 others
You must log in or register to reply here.

Similar threads

lokamoka820
    • Like
Hot Take How to Safeguard Your Windows PC Against Ransomware
Replies
1
Views
148
General Security Discussions
Bot
Bot
Gandalf_The_Grey
    • Like
Malware News Meet Interlock — The new ransomware targeting FreeBSD servers
Replies
0
Views
355
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
Malware News New SteelFox malware hijacks Windows PCs using vulnerable driver
Replies
0
Views
303
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top