HDDCryptor, also known as Mamba, targets Windows OS and is distributed via files downloaded from malicious websites. When the initial binary file is executed, a number of files are downloaded into a root folder on the infected system. HDDCryptor then creates a user account named “mythbusters” along with a password of “123456.” It also adds a new boot service named “Defragment Service” to gain and maintain persistence. It uses a tool named netpass.exe to scan network folders and steal credentials. Executables dcon.exe and mount.exe are then used to encrypt files on the infected system’s hard drive as well as files located on all mapped network drives. One that process is complete, HDDCryptor proceeds to rewrite the Master Boot Records (MBRs) for all partitions containing a custom boot loader to prevent the operating system from loading after the system is restarted. It then reboots the infected system and displays a ransom note requesting the victim contact the attacker via email. HDDCryptor demands a ransom payment of 1 Bitcoin.
- Bleeping Computer provides more information about HDDCryptor here.
- The NJCCIC is not currently aware of any free decryption tool available for HDDCryptor.