HDDCryptor ransomware returns, now encrypts entire hard drives, not just single files

First spotted in January, security firm Trend Micro has seen an increase this month in the ransomware’s distribution campaign.
By Jessica Davis
01:58 PM

The newest surge in ransomware is drawing concern for its ability to encrypt entire hard drives. HDDCryptor, or Mamba, targets network resources such as folders, drives, files, serial ports and printers and then locks down the drive, according to security firm Trend Micro.

This differs vastly from the majority of ransomware families only able to target specific file types or folders on drives, removable media and networks.

Mamba is distributed through phishing email campaigns that redirect users to malicious websites, where the payload is downloaded in the background. It can also be added as a file dropped by other Malware, Trend Micro explained.

Learn on-demand, earn credit, find products and solutions. Get Started >>

The surge in recent activity appears to have begun in late August. However, it’s not a new ransomware strain. It was first discovered in January 2016, but didn’t receive attention from security researchers or vendors as it wasn’t part of a massive distribution campaign.

[Also: Ransomware: 88 percent of U.S. attacks hit healthcare entities]

HDDCryptor has the ability to find previously connected drives or cached disconnected network paths and connect it using all credentials using the tool netpass.exe, the Trend Micro Report found. It also adds a service called DefragmentService that runs at every boot, in the background.

After encryption, HDDCryptor rewrites all hard drive Master Boot Records with a custom boot loader. The computer reboots, without user input, and the ransomware note is displayed on the screen, the report found. Re-booting the computer is impossible, as it requires a decryption key.

The virus uses a hard-coded malware ID, implying the cybercriminals may only be using a single-decryption key, Trend Micro explained. For now, the virus is only targeting Windows users.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

More regional news

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.