HelloXD Ransomware And MicroBackdoor
HelloXD Ransomware And MicroBackdoor
Palo Alto Unit42 has observed activity from HelloXD ransomware family, since November 2021. The ransomware group conducts double extortion attacks however, they do not use a data leak site. Instead, the group handles negotiations through TOX chat and onion-based messengers. From reviewing the HelloXD code, the ransomware shares coding similarities with leaked Babuk/Babyk source code. Uniquely the operators deploy an open-source backdoor named, MicroBackdoor to retain a foothold in the victim's environment. The backdoor is capable of monitoring ransomware progress, discovering files, executing commands and if needed, the ability to delete itself. Unit42 has traced a Russian-speaking threat actor named, x4k (additional alias L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme) as the developer of MicroBackdoor. x4k is involved with many nefarious cybercrime activities including developing Cobalt Strike beacons, selling proof-of-concept exploits, providing crypter services, creating custom Kali Linux distros, and establishing malicious infrastructure.