[Virus/malware activity reported: HellowXD ransomware]

An infringement incident presumed to be in the form of HellowXD ransomware has occurred.
We would like to confirm the situation and provide a warning as follows.

How it works

file version

Hello XD ransomware encrypts files as .hello and even disables shadow copies. This method removes backdoors during encryption and makes file recovery more difficult.

[Figure 0] Actual extension changed after ransomware infection

This is the file information.

• ransom text nameHello.txt
• Encrypted file information.hello

[Figure 1] White Defender Analysis

[Figure 2] File properties

behavioral process

Deleting shadow copies

Delete shadow copies to make recovery of encrypted data difficult.

[Figure 3]

target drive

Use GetLogicalDrives to target all drives except A drive (floppy disk), which also includes network drives.

[Figure 4] <Ransomware internal code>

[Figure 5] <Source: https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getdrivetypea>

Infection results

The information file is created in each folder with the name Hello.txt, and when encryption is performed, the files are changed to <encrypted file name.hello>.

[Figure 6] An example of an encrypted file with the extension changed to .hello.

[Figure 7] HelloXD ransomware note

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8] Action blocking message

[Figure 9] Blocking log