HDDCryptor Ransomware Overwrites Your MBR Using Open Source Tools


HDDCryptor which is also called as HDD Cryptor and even recognized as Mamba. This is a new ransomware which has the ability to rewrite a computer’s MBR (Master Boot Record) boot sectors and it does not allows users to access the PC. Although many of them classify it as Petya clone but HDDCryptor precedes both Satana and Petya and this is seen at the end of January this year.

Actually this ransomware was not the main intention of several distribution campaign and due to this, it never gained any courtesy from any security vendors or independent security researchers.

A revamped HDDCryptor returns

But after an activity started in the August has brought the HDDCryptor in attention and this has analyzed by many researchers available from several labs. It has been stated by Trend Micro that this harmful ransomware generally enters into the system after users has downloaded notorious files from nasty websites. Criminals insert the harmful binary on computer directly or uses an intermediary payload which is downloaded at later stage.

This is usually named using random three digit number which is in the form of 123.exe. However a hybrid analysis of file don’t reveal any clues. But when this initial binary is executed then it drops the files on computer’s system root that is mentioned below:

• dcapi.dll • dccon.exe (used to encrypt the disk drive)

• dcrypt.exe

• dcrypt.sys

• log_file.txt (log of the malware’s activities)

• Mount.exe (scans mapped drives and encrypts files stored on them)

• netpass.exe (used to scan for previously accessed network folders)

• netuse.txt (used to store information about mapped network drives)

• netpass.txt (used to store user passwords)

Among all these, there are two files which are available free and they are also legitimate tools. Netpass.exe is one of the free network password recovery tool and dcrypt.exe is known as executable for DiskCryptor which is an open source disk encryption utility.

However to gain boot persistence from user, HDDCryptor makes a new user known as “mythbusters” along with password “123456”. Even it adds a new service known as “DefragmentService” which runs at every boot. This service is known as ransomware’s original binary.

However to scan the previously accessed network folders with credentials, the netpass.exe is executed first. After that the information is stored in two local text files where one contains details of the mapped drives along with any credentials if it is there.

HDDCryptor encrypts files and overwrites the MBRs

Well this harmful ransomware infect user’s files by the process of dccon.exe and Mount.exe. These files use DiskCryptor to encrypt the files. User’s hard drive is encrypted by Dccon.exe whereas the mapped network drives is encrypted by Mount.exe and it also encrypts the currently disconnected drives.

When the encryption ends then the ransomware rewrites the MBRs for al hard drive partitions along with a boot loader. After that it reboots users computer and that too without any users concern and display the below mentioned message.


However this ransowmare in January has showed the below message that uses a different wording and also other email address.


Well the January version has used four-digit victim IDs whereas the infections of August-September shows six digit identifier.

However the authors of ransomware in January were asking the amount of $700 in Bitcoin but this has changed afterwards and in September, it was less helpful compared from January but still the criminals is asking for 1 Bitcoin ($600).

Till up to date, Bitcoin wallet address which is associated with September campaign showed that four victims have the amount. When the users pay the ransom, they get a password and the password has to enter in the pre-boot screen.