HelloXD: the new ransomware for Linux and Windows that also installs a backdoor

The situation can only get worse. Windows and Linux systems are again targeted by a ransomware variant called HelloXD . However, it is not just ransomware: infections also involve the installation and activation of a hidden backdoor to facilitate persistent remote access to infected hosts by malicious people.

For the uninitiated, the purpose of ransomware is to act by encrypting user data and files , even at the entire system / disk level. This allows criminals to demand a ransom, with a promise to give the victim back access to the affected data in full.

HelloXD: What is special about this ransomware?

Recently, however, researchers at Palo Alto Networks Unit 42 discovered an intensification of the activity of a particular ransomware known as Hello XD. In particular, it is a version characterized by an even more effective encryption than the previous ones. This malware has been operational since November 2021 and appears to be based on the Babuk source code, which was published on a Russian-language cybercrime forum, and has been involved in some cases of double extortion (where by double extortion we mean encryption and theft of data with extortion).


Among the most worrying aspects of Hello XD we find the ability of the ransomware to release a backdoor on the affected system, during the encryption operations. Finally, it attempts to completely disable the ability to restore the system to an earlier state, and finally encrypt files with the .hello extension.

The backdoor used is open source, and is available on GitHub . This is MicroBackdoor: among the features we find the possibility for an attacker to explore the file system, upload and download files, execute commands and delete evidence of its presence from compromised machines. The implementation of the backdoor is suspected to be "to monitor the progress of the ransomware" .

The research team appears to have linked the ransomware to a Russian developer behind HelloXD , which goes under the online aliases of x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme, to further malicious activities such as selling proof-of-concept exploits ( PoC):

“X4k has a very strong online presence, which has allowed us to discover much of its business over the past two years. Fortunately, it has done little to hide its malicious activities and will likely continue with this behavior ”.

A little background on these particular malware

A ransomware is a type of malware that restricts access to the device it infects, requiring a ransom, which translates to "ransom" in English, to be paid to remove the restriction. Initially widespread in Russia, ransomware attacks are now perpetrated all over the world and are among the most fruitful attacks a group of criminals can carry out, as well as the most used.

In June 2013, software company McAfee, which specializes in security software, released data showing that 250,000 different types of ransomware were registered in the first three months of 2013 , more than double the number obtained in the first three months of the year. previous one. CryptoLocker, a ransomware worm that appeared in late 2013, fetched around $ 3 million before being rendered harmless by the authorities.

The first known ransomware was the AIDS trojan, also known as "PC Cyborg", written in 1989 by the biologist Joseph Popp, which ran a payload which showed the user a message stating that the license of some installed software was expired, it encrypted the hard disk files and forced the user to pay $ 189 to the “PC Cyborg Corporation” to unlock the system. Popp was declared unable to understand and will and was not tried, but promised to donate the proceeds of the malware to research for the cure of AIDS.

The article HelloXD: the new ransomware for Linux and Windows that also installs a backdoor was written on: Tech CuE | Close-up Engineering .