According to the experts at Bleeping Computer, Luc1F3R started selling the Halloware this week through a dedicated portal on the Dark web. Luc1F3R claims to be a 17-year-old college student from Northeast India.
“Currently, the malware dev is selling and/or advertising his ransomware on a dedicated Dark Web portal, on Dark Web forums, two sites hosted on the public Internet, and via videos hosted on YouTube.” reported Bleeping Computer.
“The sites are offering a lifetime license for the Halloware ransomware for only $40.”
The low price has made the researchers suspicious, so they decided to investigate the case suspecting a scam.
Operational mistakes in the websites used by to Luc1F3R to sell the ransomware allowed the expert from Bleeping Computer to track down a web page where Luc1F3R was hosting the index of Halloware files, The page included weaponized documents used to deliver the malware.
One of the files in the list, hmavpncreck.exe, had the same SHA256 hash for which Luc1F3R included NoDistribute scan results in Halloware’s ad, confirming that it was the malware binary the experts were looking for.
Another file named ran.py seems to be Halloware’s source code.
“While the file was protected, Bleeping Computer managed to extract its source code, which will end up in the hands of other security researchers to create decrypters, in case someone buys this ransomware and uses it to infect real users.” continues the analysis from Bleeping Computer.
The researchers highlighted that Halloware is a working ransomware that encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted file names. For example, once encrypted a file named image.png, it will appear as (Lucifer)image.png.
Once the Halloware ransomware has completed the encryption process it pops up a window showing a creepy clown with a ransom message containing the instruction to pay the ransom and decrypt the data. The victim’s desktop wallpaper, also displays a similar message, but experts noticed that Halloware ransomware does not drop text files with ransom notes on the infected PCs.
Wannabe criminals that buy the ransomware can generate their own install by changing two images and adding their customized payment site URL.
Anyway the experts noticed that the ransomware uses a hardcoded AES key and does not save any information on a remote server, this characteristic makes the malware not useful for the criminal underground.
According to Bleeping Computer Luc1F3R is a novice without particular skills. His tutorials published on YouTube describe basic hacking techniques or promote unsophisticated malware.
Further details, including IoCs are available on the Bleeping Computer website.
(Security Affairs – Halloware Ransomware, Dark Web)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.