Explore Joe Security Cloud Basic Accounts

Joe Security's Blog

HydraCrypt the badass Ransomware

Published on: 04.02.2016

2015 was definitely the year of ransomwares and it seems 2016 is no different. Yesterday we came across a new ransomware called HydraCrypt:

Hydra is no different than other ransomware like Cryptowall or Teslascrpy. However there is one big exception. So far seen ransomware will encrypt your documents (PDF and Office) and pictures. Hydra instead will also encrypt your application settings and database. In detail, Hydra encrypts a huge number of additional files:

.3dm .3ds .3g2 .3gp .7z .ab4 .accdb .accde .accdr .accdt .ach .act .adb .ads .ai .ait .al .apj .arw .asf .asm .asp .asx .avi .back .bank .bay .bgt .bik .bkf .bk .blend .bpw .c .cdb .cdf .cdr .cdx .ce1 .ce2 .cer .cfp .cgm .class .cls .cmt .cnv .cpi .cpp .cr2 .craw .crt .crw .cs .csh .csl .csv .dac .db .db3 .dbf .dbr .dbs .c2 .dcr .dcs .dcx .ddd .ddoc .dds .der .des .design .dgc .djvu .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .ebd .edb .eml .eps .er .exf .fdb .ffd .fff .fh .fhd .fla .flac .flv .fm .fp7 .fpx .fxg .gdb .gray .grey .grw .gry .h .hbk .hpp .ibd .idx .iif .indd .java .jpe .jpeg .jpg .kdbx .kdc .ke .laccdb .lua .m .m4v .maf .mam .maq .mar .maw .max .mdb .mdc .mde .mdf .mdt .mef .mfw .mmw .mos .mov .mp3 .mp4 .mpg .mpp .mrw .mso .myd .ndd .nef .nk2 .nrw .ns2 .s3 .ns4 .nsd .nsf .nsg .nsh .nwb .nx1 .nx2 .nyf .obj .odb .odc . .odf .odg .odm .odp .ods .odt .oil .one .orf .otg .oth .otp .ots .ott .p12 .p7b .p7c .pages .pas .at .pbo .pcd .pct .pdd .pdf .pef .pem .pfx .php .pip .pl .plc .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .ps .psafe3 .psd .pspimage .ptx .pu .puz .py .qba .qbw .r3d .raf .rar .rat .raw .rdb .rm .rtf .rwz .sas7bdat .say .sd0 .sda .sdf .snp .sql .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .st .stw .stx .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .tex .tga .thm .txt .vob .vsd .vsx .vtx .wav .wb2 .wdb .wll .wmv .wpd .wps .x11 .x3f .xla .xlam .xlb .xlc .xll .lm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .m4a .wma .d3dbsp .xlw .xpp .xsn .yuv .zip .zip .sie .unrec .scan .sum .t13 .t12 .qdf .tax .pkpass .bc6 .bc7 .sdn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .map .wmo .itm .sb .fos .mov .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blb .esm .vcf .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .dba .rfl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .lbf .slm .epk .rgss3a .pak .big .wallet .wotreplay .xxx .desc .m3u .js .css .rb .png .w2 .rwl .mrwref .3fr .xf .pst .dx .tiff .bd .tar .gz .mkv .bmp .dot .xml .xmlx .dat .html .gif .mcl .ini .mte .cfg .mp3 .qbi .qbr .cnt .v30 .qbo .lgb .qwc .qbp .af .qby .1pa .qpd .set .nd .rtp .qbwin .log .qbbackup .tmp .temp1234 .qbt .qbsdk .syncmanagerlogger .ecml .qsm .qss .qst .fx0 .fx1 .mx0 .fpx .fxr .fim .3DM .3DS .3G2 .3GP .7Z .AB4 .ACCDB .ACCDE .ACCDR .ACCDT .ACH .ACT .ADB .ADS .AI .AIT .AL .APJ .ARW .ASF .ASM .ASP .ASX .AVI .BACK .BANK .BAY .BGT .BIK .BKF .BK .BLEND .BPW .C .CDB .CDF .CDR .CDX .CE1 .CE2 .CER .CFP .CGM .CLASS .CLS .CMT .CNV .CPI .CPP .CR2 .CRAW .CRT .CRW .CS .CSH .CSL .CSV .DAC .DB .DB3 .DBF .DBR .DBS .C2 .DCR .DCS .DCX .DDD .DDOC .DDS .DER .DES .DESIGN .DGC .DJVU .DNG .DOC .DOCM .DOCX .DOT .DOTM .DOTX .DRF .DRW .DTD .DWG .DXB .DXF .DXG .EBD .EDB .EML .EPS .ER .EXF .FDB .FFD .FFF .FH .FHD .FLA .FLAC .FLV .FM .FP7 .FPX .FXG .GDB .GRAY .GREY .GRW .GRY .H .HBK .HPP .IBD .IDX .IIF .INDD .JAVA .JPE .JPEG .JPG .KDBX .KDC .KE .LACCDB .LUA .M .M4V .MAF .MAM .MAQ .MAR .MAW .MAX .MDB .MDC .MDE .MDF .MDT .MEF .MFW .MMW .MOS .MOV .MP3 .MP4 .MPG .MPP .MRW .MSO .MYD .NDD .NEF .NK2 .NRW .NS2 .S3 .NS4 .NSD .NSF .NSG .NSH .NWB .NX1 .NX2 .NYF .OBJ .ODB .ODC . .ODF .ODG .ODM .ODP .ODS .ODT .OIL .ONE .ORF .OTG .OTH .OTP .OTS .OTT .P12 .P7B .P7C .PAGES .PAS .AT .PBO .PCD .PCT .PDD .PDF .PEF .PEM .PFX .PHP .PIP .PL .PLC .POT .POTM .POTX .PPAM .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PRF .PS .PSAFE3 .PSD .PSPIMAGE .PTX .PU .PUZ .PY .QBA .QBW .R3D .RAF .RAR .RAT .RAW .RDB .RM .RTF .RWZ .SAS7BDAT .SAY .SD0 .SDA .SDF .SNP .SQL .SR2 .SRF .SRT .SRW .ST4 .ST5 .ST6 .ST7 .ST8 .STC .STD .ST .STW .STX .SVG .SWF .SXC .SXD .SXG .SXI .SXM .SXW .TEX .TGA .THM .TXT .VOB .VSD .VSX .VTX .WAV .WB2 .WDB .WLL .WMV .WPD .WPS .X11 .X3F .XLA .XLAM .XLB .XLC .XLL .LM .XLR .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .M4A .WMA .D3DBSP .XLW .XPP .XSN .YUV .ZIP .ZIP .SIE .UNREC .SCAN .SUM .T13 .T12 .QDF .TAX .PKPASS .BC6 .BC7 .SDN .SIDD .MDDATA .ITL .ITDB .ICXS .HVPL .HPLG .HKDB .MDBACKUP .SYNCDB .GHO .CAS .MAP .WMO .ITM .SB .FOS .MOV .VDF .ZTMP .SIS .SID .NCF .MENU .LAYOUT .DMP .BLB .ESM .VCF .VTF .DAZIP .FPK .MLX .KF .IWD .VPK .TOR .PSK .RIM .W3X .FSH .NTL .ARCH00 .LVL .SNX .CFR .FF .VPP_PC .LRF .M2 .MCMETA .VFS0 .MPQGE .KDB .DB0 .DBA .RFL .HKX .BAR .UPK .DAS .IWI .LITEMOD .ASSET .FORGE .LTX .BSA .APK .RE4 .LBF .SLM .EPK .RGSS3A .PAK .BIG .WALLET .WOTREPLAY .XXX .DESC .M3U .JS .CSS .RB .PNG .W2 .RWL .MRWREF .3FR .XF .PST .DX .TIFF .BD .TAR .GZ .MKV .BMP .DOT .XML .XMLX .DAT .HTML .GIF .MCL .INI .MTE .CFG .MP3 .QBI .QBR .CNT .V30 .QBO .LGB .QWC .QBP .AF .QBY .1PA .QPD .SET .ND .RTP .QBWIN .LOG .QBBACKUP .TMP .TEMP1234 .QBT .QBSDK .SYNCMANAGERLOGGER .ECML .QSM .QSS .QST .FX0 .FX1 .MX0 .FPX .FXR .FIM .$$$ .$DB .001 .002 .003 .113 .73B .__A .__B .AB .ABA .ABBU .ABF .ABK .ACP .ACR .ADI .AEA .AFI .ARC .AS4 .ASD .ASHBAK .ASV .ASVX .ATE .ATI .BAC .BACKUP .BACKUPB .BAK2 .BAK3 .BAKX .BAK~ .BBB .BBZ .BCK .BCKP .BCM .BDB .BFF .BIF .BIFX .BK1 .BKC .BKUP .BKZ .BLEND1 .BLEND2 .BM3 .BMK .BPA .BPB .BPM .BPN .BPS .BUP .CAA .CBKCBS .CBU .CK9 .CMF .CRDS .CSD .CSM .DA0 .DASH .DBK .DIM .DIY .DNA .DOV .DPB .DSB .FBC .FBF .FBK .FBU .FBW .FH .FHF .FLKA .FLKB .FPSX .FTMB .FUL .FWBACKUP .FZAFZB .GB1 .GB2 .GBP .GHS .IBK .ICBU .ICF .INPROGRESS .IPD .IV2I .JBK .JDC .KB2 .LCB .LLX .MBF .MBK .MBW .MDINFO .MEM .MIG .MPB .MV_ .NB7 .NBA .NBAK .NBD .NBF .NI .NBK .NBS .NBU .NCO .NDA .NFB .NFC .NPF .NPS .NRBAK .NRS .NWBAK .OBK .OEB .OLD .ONEPKG .ORI .ORIG .OYX .PAQ .PBA .PBB .PBD .PBF .PBJ .PBX5SCRIPT .PBXSCRIPTPDB .PQB .PQB-BACKUP .PRV .PSA .PTB .PVC .PVHD .QBB .QBK .QBM .QBMB .QBMD .QBX .QIC .QSF .QUALSOFTCODE .QUICKEN2015BACKUP .QUICKENBACKUP .QV~ .RBC .RBFRBK .RBS .RDB .RGMB .RMBAK .RRR .SAV .SBB .SBS .SBU .SDC .SIM .SKB .SME .SN1 .SN2 .SNA .SNS .SPF .SPG .SPI .SPS .SQB .SRR .STG .SV$ .SV2I .TBK .TDB .TIBKP .TIG .IS .TLG .TMP .TMR .TRN .TTBK .UCI .V2I .VBK .VBM .VBOX-PREV .VPCBACKUP .VRB .WBB .WBCAT .WBK .WIN .WJF .WPB .WSPAK .XBK .XLK .YRCBCK .~CW .QBI .QBR .CNT .DESv30 .QBO .LGB .QWC .QBP .AIF .QBA .TLG .QBY .1PA .QPD .SET .IIF .ND .RTP .TLG .WAV .Qbwin .log .QBBackup .tmp .Temp1234 .qbt .QBSDK .log .QWC .log .SyncManagrLogger .log .ECML .QSM .QSS .QST .Fx0 .Fx1 .Mx0 .FPx .FXR .FIM .$$$ .$db .001 .002 .003 .113 .73b .__a .__b .ab .aba .abbu .abf .abk .acp .acr .adi .aea .afi .arc .as4 .asd .ashbak .asv .asvx .ate .ati .bac .backup .backupb .bak2 .bak3 .bakx .bak~ .bbb .bbz .bck .bckp .bcm .bdb .bff .bif .bifx .bk1 .bkc .bkup .bkz .blend1 .blend2 .bm3 .bmk .bpa .bpb .bpm .bpn .bps .bup .caa .cbkcbs .cbu .ck9 .cmf .crds .csd .csm .da0 .dash .dbk .dim .diy .dna .dov .dpb .dsb .fbc .fbf .fbk .fbu .fbw .fh .fhf .flka .flkb .fpsx .ftmb .ful .fwbackup .fzafzb .gb1 .gb2 .gbp .ghs .ibk .icbu .icf .inprogress .ipd .iv2i .jbk .jdc .kb2 .lcb .llx .mbf .mbk .mbw .mdinfo .mem .mig .mpb .mv_ .nb7 .nba .nbak .nbd .nbf .ni .nbk .nbs .nbu .nco .nda .nfb .nfc .npf .nps .nrbak .nrs .nwbak .obk .oeb .old .onepkg .ori .orig .oyx .paq .pba .pbb .pbd .pbf .pbj .pbx5script .pbxscriptpdb .pqb .pqb-backup .prv .psa .ptb .pvc .pvhd .qbb .qbk .qbm .qbmb .qbmd .qbx .qic .qsf .qualsoftcode .quicken2015backup .quickenbackup .qv~ .rbc .rbfrbk .rbs .rdb .rgmb .rmbak .rrr .sav .sbb .sbs .sbu .sdc .sim .skb .sme .sn1 .sn2 .sna .sns .spf .spg .spi .sps .sqb .srr .stg .sv$ .sv2i .tbk .tdb .tibkp .tig .is .tlg .tmp .tmr .trn .ttbk .uci .v2i .vbk .vbm .vbox-prev .vpcbackup .vrb .wbb .wbcat .wbk .win .wjf .wpb .wspak .xbk .xlk .yrcbck .~cw

The list includes e.g. *.db, *.ini or *.dat. So what does that mean? It means that all your application settings are gone. Same for. stored password and login for e.g. Firefox:

Besides it will also encrypt files in your Recycle Bin and your System Restore folder. This is bad ass and makes your computer nearly useless. Of course it also comes with all the other functionality of traditional ransomware:

Full Joe Sandbox 13 analysis:

Hydra Ransomware 5f2d13576e4906501c91b8bf400e0890

Update 1:

Malware Traffic Analysis is a nice analysis of the threat from a network level: kudos, http://malware-traffic-analysis.net/2016/02/03/index2.html

DeepMalwareAnalysis

Joe Security's Blog

HydraCrypt the badass Ransomware