The notorious HexaLocker ransomware has resurfaced with a revamped version, HexaLocker V2, which is now being disseminated through the Skuld Stealer. This new iteration introduces advanced functionalities that heighten its threat level significantly.
HexaLocker V2: a major upgrade
HexaLocker V2, first identified in mid-2024, showcases notable enhancements over its predecessor. The ransomware now employs a persistence mechanism that modifies Windows registry keys to ensure it remains active even after system reboots. Upon execution, it copies itself to the %appdata% directory and establishes an AutoRun entry, allowing it to execute automatically at startup. This strategic adaptation makes detection and removal more challenging for users and security software alike.
Double extortion tactics
One of the most alarming features of HexaLocker V2 is its adoption of a double extortion strategy. Before encrypting files, it utilizes the Skuld Stealer to exfiltrate sensitive data from the victim’s system. This open-source tool targets various applications, including popular web browsers and cryptocurrency wallets, to harvest credentials and other confidential information. The stolen data is then compressed into a ZIP archive and sent to a remote server, amplifying the pressure on victims to comply with ransom demands.
Advanced encryption techniques
HexaLocker V2 employs robust encryption algorithms such as AES-GCM for string encryption and ChaCha20 for file encryption. Upon initiating an attack, the ransomware generates unique keys and salts, which are transmitted to a remote server along with critical victim-specific details like IP address and computer name. This information facilitates targeted ransom negotiations, as victims receive personalized ransom notes instructing them on how to proceed.
Targeted exfiltration process
The ransomware scans the entire file system for specific file types—ranging from documents and images to audio and video files—before encrypting them with the .HexaLockerV2 extension. The comprehensive list of targeted file extensions underscores the extensive reach of this malware, which aims to maximize its impact on victims by compromising valuable data across various formats.
An evolving threat
The emergence of HexaLocker V2 underscores the evolving nature of ransomware threats in today’s digital environment. Its combination of sophisticated encryption methods and data exfiltration capabilities illustrates a concerning trend towards more aggressive cyber extortion tactics. Cybersecurity experts recommend implementing robust preventive measures, including regular backups, endpoint protection, and user education on phishing threats, to mitigate risks associated with such advanced ransomware attacks.
As organizations continue to grapple with these persistent threats, staying informed about emerging malware variants like HexaLocker V2 is crucial for maintaining cybersecurity resilience.