A ransomware developer taunted security researchers in a tech support forum by egging them on to decrypt the newest version of their malware.
There’s nothing particularly interesting about the DXXD ransomware. When it encrypts a victim’s files, it appends dxxd to each affected filename.
That goes for files that DXXD finds on a target computer as well as network shares.
What is interesting, however, is the way the ransomware displays its ransom note.
As noted by Lawrence Abrams, a computer security expert at Bleeping Computer:
“This ransomware… also configures a Windows Registry setting that is used to display a legal notice when people log into a computer. By configuring these registry keys, the ransomware developer knows that any a user who tries to login to the server will see the ransom note.”
Specifically, the ransomware changes the registry values:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeCaption and HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeText.
Doing so makes sure each and every user will see the ransom note before they log into their account.
Microsoft Windows Security Center. Dear Administrator, YOUR server is attacked by hackers. For more infromations and recommendations, write to our experts by e-mail
After receiving word of DXXD, Gillespie created a decryption tool for the ransomware that allowed victims to restore access to their files for free.
Unfortunately, the ransomware developer cut the life of that utility short by modifying DXXD’s code.
But they didn’t stop there.
Determined to have the last word, the author posted on Bleeping Computer and egged Gillespie and others to decrypt the ransomware’s newest version.
how are you?
decrypt a new vesrion??? (its pre alpha vesrion)
The malware developer says that they have made DXXD harder to decrypt by using a zero-day vulnerability affecting Windows computers, something which Abrams thinks the author is using to hack into servers using Remote Desktop Services and brute force passwords.
Users should prepare for a ransomware infection by backing up their critical data on a regular basis. That way, they won’t need to pay the ransom if they suffer an infection. They should also maintain an up-to-date anti-virus solution on their computers and keep their software updated.
There is currently no decryption tool for DXXD. That means all victims should remove the malware from their computers, restore their files using their data backups, and change all passwords saved on their affected machines.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.