Ransomware Roundup – 2022/06/16

Description

FortiGuard Labs has become aware of several ransomware strains that caught the public's attention for the week of June 13th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Nyx, Solidbit, RobbinHood and HelloXD ransomware along with the Fortinet protections against them.



What is Nyx ransomware?

Nyx is a double-extortion ransomware that was recently discovered. It steals data from the victim and encrypts files on the compromised machine and then demands a ransom from the victim in exchange for file recovery and not leaking the stolen information to the public. It leaves a ransom note in a file called READ_ME.txt that includes the victim's unique ID, the attacker's contact email address as well as secondary email address which the victim should use in case the attacker did not respond within 48 hours of the first email being sent to the attacker.



Nyx ransomware's ransom note


The ransomware adds the following file extension to the files it encrypts:

[victim's unique ID].[the attacker's primary contact email].NYX



Files encrypted by Nyx ransomware


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against Nyx ransomware:

W32/Filecoder.NHQ!tr.ransom



What is Solidbit ransomware?

Solidbit is a ransomware that encrypts files on the compromised machine and demands a ransom from the victim for file recovery.


Solidbit ransomware's lock screen

Solidbit ransomware drops a ransom note in a file named RESTORE-MY-FILES.txt, which includes Solidbit's own TOR site where the victim is asked to visit to contact the attacker along with the decryption ID.



Solidbit ransomware's ransom note


The TOR site offers free decryption of a file (up to a maximum file size of 1MB) to prove that decryption works properly. The Solidbit threat actor also provides chat support for victims.


Solibit ransomware's TOR site


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against Solidbit ransomware:

MSIL/Filecoder.APU!tr.ransom



What is RobbinHood ransomware?

RobbinHood is a ransomware has been in the wild since at least 2019. This ransomware is covered in this week's ransomware roundup given a report recently surfaced that it was responsible for infecting an auto parts manufacture in February, 2022 which resulted in shutdown of the factories.

Written in Golang, RobbinHood is a simple ransomware that encrypts files on the compromised machine and demands ransom for decrypting the affected files. A typical ransom note left behind by RobbinHood ransomware has the attacker's bitcoin address and asks the victim to pay the ransom within 3 to 4 days depending on the ransomware variant. The attacker warns that the ransom amount increases by $10,000 each day if the payment is not made during the specified window. However, some RobbinHood ransom notes state that the victim's keys will be removed after 10 days. This makes file recovery impossible in order to add pressure to the victim to pay the ransom. Also, the attacker asks the victim not to contact law enforcement or security vendors.

Known file extensions that RobbinHood ransomware adds to encrypted files include ".enc_robbin_hood" and ".rbhd".

It also deletes shadow copies, which makes file recovery difficult.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against RobbinHood ransomware:

W32/Robin.AB!tr.ransom
W32/Robin.A!tr
W32/RobbinHood.A!tr.ransom
W32/RobbinHood.A!tr
W32/Ransom_Win32_ROBBINHOOD.SM
W32/Filecoder_RobbinHood.D!tr.ransom
W32/Filecoder_RobbinHood.D!tr
W32/Filecoder_RobbinHood.C!tr
W32/Filecoder_RobbinHood.B!tr.ransom
W32/Filecoder_RobbinHood.B!tr
W32/Filecoder_RobbinHood.A!tr



What is HelloXD ransomware?

HelloXD is a ransomware that targets both Windows and Linux systems. The ransomware has been in the field since at least November 2021 and typically comes with a logo having a red face with horns.



HelloXD ransomware logo


In order to inhibit file recovery, it deletes shadow copies before encrypting files. After files are encrypted, it drops a ransom note named "Hello.txt"., This contains a unique personal ID for the victim, Tox chat ID to contact the attacker as well as instruction to download and install Tox. The note also states that a ransom payment needs to be made within 96 hours of the infection or else the ransom amount will increase. Files that were encrypted by HelloXD have a ".hello" file extension.

Some of the HelloXD ransomware samples reportedly deploy MicroBackdoor, an open-source backdoor to the compromised machine. The backdoor allows the attackers to keep foothold in the victim's machine and will not likely be removed from the victim's machine even if a ransom payment is made.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against HelloXD ransomware:


W32/Filecoder_Hello.C!tr
W64/Filecoder_Hello.C!tr
W64/Filecoder_Hello.A!tr.ransom
MSIL/Filecoder.2362!tr.ransom
W32/GenKryptik.FPIJ!tr
W64/CoinMiner.EJER!tr
W32/PossibleThreat



Anything Else to Note?

Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory.