BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs

by Stephen Hilt and William Gamazo Sanchez

While most ransomware we’ve seen only target specific file types or folders stored on local drives, removable media and network shares, we were able to uncover a ransomware family that does not discriminate: HDDCryptor. Detected as Ransom_HDDCRYPTOR.A, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.

Figure 1. A photo of the ransom note; HDDCryptor uses a hard-coded malware ID (123141), which implies that its operators may only be using a single decryption key.

Infection Vector and Installation

HDDCryptor can infect systems as an executable unsuspectingly downloaded from malicious websites, or as a file dropped by other malware. The ransomware is installed by dropping several components—both legitimate and malicious—to the system’s root folder:

  • dcapi.dll (detected as Ransom_HDDCRYPTOR.A)
  • dccon.exe (used to encrypt the disk drive)
  • dcrypt.exe
  • dcrypt.sys
  • log_file.txt (log of the malware’s activities)
  • Mount.exe (scans mapped drives and encrypts files stored on them)
  • netpass.exe (used to scan for previously accessed network folders)
  • netuse.txt (used to store information about mapped network drives)
  • netpass.txt (used to store user passwords)

For persistence, it adds a service named DefragmentService and executes it via command line.

Network-Mapped Drive Encryption

Digging into HDDCryptor, we found that its network-related behaviors are volatile. There were no observed propagation routines in some samples, while network-encrypting behavior was espied in others. Running one of its components, mount.exe, we discover its following functionalities:

  • Enumerate all existing mounted drives and encrypt all files
  • Find previously connected drives or cached disconnected network paths and connect to them using all credentials captured using the tool netpass.exe

Running mount.exe with no parameters enumerated all mapped drives via Windows’s volume management function GetLogicalDrives and encrypted all files stored on them.

Figure 2. Code showing capability of mount.exe to enumerate drives

To reach for previously accessed networked folders (but not mounted drives), HDDCryptor uses a network password recovery freeware (netpass.exe). The utility tool extracts credentials of the current session and the result is dumped into a file named netpass.txt.

During the same time, the connected drives cache is dumped into a file named netuse.txt. The executable then uses the two dump files to access resources in the network cache—even disconnected ones—or whatever network share that was previously accessed. The following image shows mount.exe code using the mentioned files:

Figure 3. Mount.exe code shown using the dump .txt files

Figure 4. Snapshot of HDDCryptor’s encryption routine to mapped drives

Figure 5. A screenshot of log_file.txt showing HDDCryptor’s malicious activities

Figure 6. A snapshot of DiskCryptor’s properties showing its expired certificates


HDDCryptor uses disk and network file-level encryption via DiskCryptor, an open source disk encryption software that supports AES, Twofish and Serpent encryption algorithms, including their combinations, in XTS mode. It also uses DiskCryptor to overwrite the Master Boot Record (MBR) and adds a modified bootloader to display its ransom note, instead of the machine’s normal log-in screen.

In some of the samples we ran, the system was forcefully rebooted (no user interaction needed) after two hours of full disk activity—while the drive is being encrypted—while in others, the affected machine was rebooted twice.

Interestingly, the copy of the DiskCryptor dropped by the samples we analyzed is the same file available in DiskCryptor’s download page. Aside from containing expired certificates, the software itself hasn’t received an update since September 7, 2014. In contrast, HDDCryptor’s operators seemed to have used a modified version of netpass.exe. The version dropped by this ransomware had its properties such as version information stripped out in the binaries. We have reached out and shared our analysis of this ransomware to the developers of these software.

HDDCryptor, like ransomware as a service (RaaS), embodies how little effort can go a long way. At the crux of it is how HDDCryptor utilizes commercially available software to do its nefarious bidding, and ultimately how affected end users and businesses foot the bill for these cybercriminals.

Trend Micro Ransomware Solutions

As ransomware continues to wreak havoc on users, it looks as though it can only up the ante. Considering the severe damage HDDCryptor poses to end users and especially businesses, it is crucial to have preventive measures in place, such as a strengthened backup policy, as well as a proactive, multilayered approach to security: from the gateway, endpoints, networks, and servers.


  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention


  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection


Related Hashes detected as Ransom_HDDCRYPTOR.A:


Additional analysis and insights by Sasha Hellberg, Byron Gelera, Fernando Merces, and Lord Remorin

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs

Read more: BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs

Story added 14. September 2016, content source with full text you can find at link above.