Halloware Ransomware is Dead

A few months ago we did a deep dive on Halloware ransomware. Halloware was notable for both being ransomware-as-a-service and for its low, low price to wanna-be attackers ($40). While most other folks have moved on, we continued our monitoring of this ransomware for the last few months. Today, this campaign appears to be dead.

Halloware – We Totally Knew Ye

Why Do We Care About Dead Ransomware?

Ransomware is a fast-moving space, with new samples and variants popping up almost daily. Accordingly, in order to fully understand the threat landscape, we need to understand what worked for attackers, and what didn’t. Halloware is a case of the latter.

A snapshot (taken in Feb 2018) of the Bitcoin wallet used in the Halloware campaign.

We feel comfortable calling Halloware dead for a few reasons. First, we have been using multiple email accounts to talk to the author of Halloware since we first reported on it in December. All communications have broken off, and the author has not responded to any new requests in over a month. Second, our sensors have not detected any new infections since our original article, meaning that the author does not seem to be actively pushing this variant. Finally, it doesn’t seem like the author of this piece of ransomware was making any money (more on this later).

Who Was This?

A number of outlets reported that the likely author of Halloware was a teenager going by the name Lucifer. Researchers quickly determined that the author was likely a student living in Northern India. By playing the part of ransomware victims, we were able to learn a lot more from Lucifer. We were able to confirm much of this simply by talking to him.

Problems with OPSEC continued during our interactions with Lucifer. For instance, we received the same Bitcoin wallet address in response to every  unique personality we used to contact him. That allowed us to monitor Lucifer’s campaign from inception to death. To the best of our knowledge, Lucifer didn’t receive any payments (see the picture above).

Like every other piece of ransomware we have ever seen, CryptoDrop stopped Halloware.

We believe that this was in large part due to the unstable nature of Halloware. As mentioned in our previous article, this particular strain of ransomware crashed on most of our test machines. That means that very few machines even had an opportunity to be impacted. For the few configurations that did allow Halloware to run, CryptoDrop stopped it in every case.

In our communications with Lucifer, it was pretty clear that things were not going well. While we encouraged him to release a decryptor, he insisted that he needed to make a small amount of money first for school expenses.

Shortly after that, all communication with Lucifer ended across all accounts. Additionally, nobody (including us) has seen any updates to this variant.

Lessons Learned

Building ransomware is easy – all you have to do is create an executable that traverses the file system and encrypts every file it sees. This isn’t outside of the skillset of a first year computer science student. Getting that code to work in a stable fashion across many different Windows systems without the necessary dependencies is harder and takes some practice.

Actual error message from Halloware execution.

The point is that you should expect to continue seeing ransomware. Even though Halloware was poorly written, it accomplished its mission if you happened to be unlucky enough to have a system with the right configuration. With slightly more experience, Halloware could have been a much bigger deal. Assuming that Lucifer keeps up his studies, he might very well be back in the near future.

Don’t have the money to pay ransom? Don’t have the time to deal with your files being stolen from you? Give us a shot. CryptoDrop has stopped every single piece of ransomware that we have seen, and on the first time we tested them. You can try us for free today. When your antivirus fails, We Stop Ransomware.



Leave a Reply

Your email address will not be published. Required fields are marked *