Barkly vs Malware
The Barkly Team
Dec 2017

New Ransomware HC7 Spreads via Legitimate Admin Tools

A new ransomware variant called HC7 is infecting victims via unsecured Remote Desktop services and abusing PsExec.exe to spread across internal networks.

One of the big attack trends we've seen in 2017 has been a focus on infiltrating organizations through publicly accessible Remote Desktop Protocol (RDP) services. The tactic has been especially popular for spreading ransomware, with the criminal groups behind such variants as SamSam, CrySiS, Shade, Apocalypse, BTCWare, and others all getting in on the act. 

The latest example to follow suit is ransomware that researchers are calling HC7. What makes this variant additionally notable is once it gains initial entry via RDP it also then abuses PsExec (another otherwise legitimate system administration tool) to spread the infection laterally throughout compromised networks. While not a new technique, abuse of PsExec has also gained steam this year as more and more attackers turn to "living off the land" (using built-in Windows tools and functionality instead of malware to carry out attacks). 

Barkly blocks HC7 ransomware before it can encrypt files

HC7.gif

Despite being a new ransomware variant, Barkly blocks HC7 automatically, without any updates to protection needed. That's because Barkly utilizes a mix of powerful behavioral and file attribute protection strengthened by responsive machine learning that learns and evolves with the introduction of new threats. 

Learn more about how Barkly can protect your company from malware other solutions miss. See a demo.

How HC7 ransomware attacks work

Rather than relying on spam emails and click-prone users to deploy their ransomware, the attackers behind HC7 are targeting networks with RDP exposed. Thanks to port scanning tools like masscan and Nmap, identifying those targets is incredibly easy. Once an open port exposing RDP is found, the attackers' next step is brute-forcing their way past weak or default passwords to gain access to the machine so they can install and execute the ransomware manually. 

HC7 encrypts a wide variety of file types and appends the .GOTYA extension to the encrypted file's name. It also creates a ransom note titled RECOVERY.txt, which it leaves behind in each folder containing encrypted files. 

The ransom note lists the following:

  • Demands: currently $700 in Bitcoin (BTC) for restoring encrypted files on one infected machine, or $5,000 BTC for all machines on the network
  • Bitcoin wallet address: 1 of 14 different options (see full list here
  • Attacker email address: m4zn0v@keemail.me
  • Unique victim ID

hc7-ransomware-ransom-note.jpg

HC7 ransomware ransom note. Source: Bleeping Computer

As it's executing, HC7 also looks for PsExec.exe and purposely avoids encrypting it. If found, the ransomware will attempt to use it to install and execute itself on any additional machines on the network it can connect with. Whether it attempts to re-use the same password it initially gained access with or launch additional brute-force attacks to gain access to remote machines is unclear. It should also be noted that in order to utilize PsExec.exe, the ransomware needs to be operating with admin privileges, so standard best practices for limiting privileges can help mitigate that threat. 

To find out more about how attacks leverage PsExec to spread, see our write-up of Sorebrect ransomware.

Possible method for decrypting files encrypted by HC7 ransomware 

The good news for victims hit with HC7 is it may be possible to recover encrypted files without paying the ransom. 

Hope lies in a decryption tool for HC6 ransomware (HC7's predecessor) that security researcher Michael Gillespie was able to create with help from Emsisoft's Fabian Wosar. In order for the HC6 ransomware decryption tool to work it requires the victim's unique encryption key. That was obtainable in HC6 infections because it was hard-coded into the ransomware. That's no longer the case with HC7, however. Instead, the encryption key is passed to the program as a command line argument. 

Researcher Ryan Zisk was able to figure out how to recover the key by generating a snapshot of the computer's memory and extracting the command line from it. You can read how to search for the encryption key in his blog post here.

Once the encryption key is obtained, victims can use Gillespie's decryption tool to recover their files.

Preventing RDP attacks

Remote desktop is a relatively easy attack vector for most organizations to secure, yet actively doing so is also something that can easily slip through the cracks. According to Rapid7, more than 4 million endpoints have port 3389 open with RDP exposed. That's a lot of low-hanging fruit for attackers to target. 

Make sure none of your endpoints end up on that list by placing any machine with RDP enabled behind a firewall and applying strong passwords and basic access control lists. For more tips on securing RDP, see this guide from UC Berkeley.

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.

blocks-attack-grey-circle.svg

Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.