The advancement of ransomware continues
As ransomware has made international headlines due to its crippling effects on industries ranging from healthcare and power to the food supply, researchers are continually discovering new, sophisticated variants of the malicious software used to carry out these intrusions with increasing frequency.
“Ransomware as a service,” in which ransomware is offered for sale just as one might imagine any other software subscription, has also become a recent phenomena thanks to the increasing sophistication of malware developers. Ransomware creators update, maintain and patch their products to ensure that they continue to remain effective, even as cybersecurity protocols and malware detection filters keep pace.
One such variant is referred to as “HELLO” or “WickrMe.” This particular ransomware type has received its more common name due to it placing a “.hello” extension after each of the files it encrypts.
What exactly is ransomware?
Ransomware is malicious software that is created to encrypt a victim’s data, holding it hostage until a financial payment is made. In theory, victims will regain access to their system after they surrender payment, although ransomware purveyors have been known to not make good on their end of the deal or, worse yet, ask for even more money. However, this additional threat has not deterred major companies from paying millions of dollars to cybercriminals, serving to only inspire further attacks.
Double extortion schemes in which a cybercriminal not only encrypts a victim’s data but also threatens to sell it are also common.
HELLO ransomware explained
A variant of a ransomware type known as “WannaCry” or “Xorist,” HELLO has a storied and high profile history in spite of it being not terribly special or unique compared to other, similar viruses and variants. This is partially because the vulnerability exploited by HELLO is the same that was used to steal 400GB of data from the United Nations in July of 2019 in a previously undisclosed attack.
Identified in August of 2020, HELLO uses Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to penetrate a victim’s network. After successfully entering the network, a hacker can then use a launch HELLO using Cobalt Strike.
Cobalt Strike is popular “threat emulation” software that is used by the security community to launch test attacks for the purpose of better understanding how to fortify against malware. A double edged sword, Cobalt Strike is also leveraged by the threat actor community in order to carry out real hacks and network takeovers.
Once initiated, HELLO changes the user’s desktop wallpaper and causes the system to display an error message. Each folder containing encrypted files also contains a text file labeled “HOW TO DECRYPT FILES.txt” that partially reads as follows:
“If you want to decrypt all your files you need to pay. You only have 12H to submit the payment.”
The text file also contains instructions on how to provide payment in Bitcoin as well as the threat of an increase in the demand if the payment deadline is missed.
How do networks get infected with HELLO ransomware?
Ransomware typically invades a network by tricking authorized users via phishing schemes or malicious websites, and HELLO is no different. Because ransomware is so dependent on user error, cybercrime education and training is becoming an increasingly vital component of network security.
What does a ransomware attack look like?
The actual look and execution of a ransomware attack on the victim’s end varies depending on the type of ransomware being used.
However, attacks like HELLO typically display a simple message containing instructions on how to retrieve data, links that lead to information online about what ransomware is and the information necessary for the victim to both purchase and submit their payment in Bitcoin or other cryptocurrency, as these new payment methods make it difficult to track criminal activity online.
Some ransomware will display a countdown in order to pressure the victim to pay before further action is taken by the threat actors.
Cerber ransomware is unique in that it uses text-to-speech to verbally read its message to the victim. Because of this, it has been nicknamed “The Talking Ransomware.”
How to protect against HELLO ransomware
The vulnerability in Microsoft SharePoint 2019 that was used to launch HELLO has long been patched. As a result, merely keeping your system updated, one of the key tenets of proper cybersecurity protocols, goes a long way towards preventing a successful hack.
While good software hygiene may seem like a no-brainer to some, many users continue to operate with potentially exploitable network architecture. It is important to understand that SharePoint was patched against HELLO prior to the United Nations falling victim to it. They were simply running an outdated version of the platform in which the vulnerability was still present. The event highlights a disastrous general lack of vigilance and understanding when it comes to the critical nature of cybersecurity, even in high powered international organizations whose primary function is to protect and defend allied nations.
How to remain safe online
HELLO is one of many variants of ransomware that can bring everything from small businesses to international coalitions to their knees. While increased government pressure and a greater priority on highly trained and competent IT staff may be able to turn the tables on the criminals in some circumstances, decent cybersecurity requires dedication and adherence to a few foundational rules that can make the difference between becoming a victim or continuing operations as normal:
1: Stay vigilant. Tight cybersecurity remains a moving target with criminals not only continually probing for exploit opportunities via phishing scams but also networking and developing more advanced means of infiltrating targeted networks. Stay privy to cybersecurity news blogs to remain in sync with the latest threats.
2: Update everything. From your OS to the apps on your tablet, make sure that you keep your system running the most current version of whatever you use. Falling behind means missing out on critical security updates. Don’t ignore your hardware. Stay on the cutting edge without torpedoing your budget by purchasing refurbished equipment from a reputable supplier.
3: Train your staff. Your organization’s security is only as strong as your most uninformed staff member. Keep your team updated with regular cybersecurity training and seminars.
4: Use a Virtual Private Network (VPN). While still exploitable if not maintained, a VPN still provides a critically important layer of security between you and the bad guys.
Sources
- Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability by Janus Agcaoili, 27 April 2021, Trend Micro Incorporated
- How to remove HELLO Ransomware – virus removal steps (updated) by Tomas Meskauskas, 5 Aug 2020, PCrisk
- Cobalt Strike Usage Explodes Among Cybercrooks by Lisa Vaas, 29 June 2021, Threatpost
- United Nations Confirms ‘Serious’ Cyberattack With 42 Core Servers Compromised by Davey Winder, 30 June 2020, Forbes
- Cerber Ransomware: What You Need to Know by Jeff Petters, 17 June 2020, Varonis
- Ask a Carbonista: What does ransomware look like? By Mark Brunelli, 20 Jun 2016, Carbonite
- Hello (WickrMe) Ransomware (CSB21-03) Philippine National Police Information Technology Management Service,
