Halloware Ransomware is Dead

A few months ago we did a deep dive on Halloware ransomware. Halloware was notable for both being ransomware-as-a-service and for its low, low price to wanna-be attackers ($40). While most other folks have moved on, we continued our monitoring of this ransomware for the last few months. Today, this campaign appears to be dead.

Halloware – We Totally Knew Ye

Why Do We Care About Dead Ransomware?

Ransomware is a fast-moving space, with new samples and variants popping up almost daily. Accordingly, in order to fully understand the threat landscape, we need to understand what worked for attackers, and what didn’t. Halloware is a case of the latter.

A snapshot (taken in Feb 2018) of the Bitcoin wallet used in the Halloware campaign.

We feel comfortable calling Halloware dead for a few reasons. First, we have been using multiple email accounts to talk to the author of Halloware since we first reported on it in December. All communications have broken off, and the author has not responded to any new requests in over a month. Second, our sensors have not detected any new infections since our original article, meaning that the author does not seem to be actively pushing this variant. Finally, it doesn’t seem like the author of this piece of ransomware was making any money (more on this later).

Who Was This?

A number of outlets reported that the likely author of Halloware was a teenager going by the name Lucifer. Researchers quickly determined that the author was likely a student living in Northern India. By playing the part of ransomware victims, we were able to learn a lot more from Lucifer. We were able to confirm much of this simply by talking to him.

Problems with OPSEC continued during our interactions with Lucifer. For instance, we received the same Bitcoin wallet address in response to every  unique personality we used to contact him. That allowed us to monitor Lucifer’s campaign from inception to death. To the best of our knowledge, Lucifer didn’t receive any payments (see the picture above).

Like every other piece of ransomware we have ever seen, CryptoDrop stopped Halloware.

We believe that this was in large part due to the unstable nature of Halloware. As mentioned in our previous article, this particular strain of ransomware crashed on most of our test machines. That means that very few machines even had an opportunity to be impacted. For the few configurations that did allow Halloware to run, CryptoDrop stopped it in every case.

In our communications with Lucifer, it was pretty clear that things were not going well. While we encouraged him to release a decryptor, he insisted that he needed to make a small amount of money first for school expenses.

Shortly after that, all communication with Lucifer ended across all accounts. Additionally, nobody (including us) has seen any updates to this variant.

Lessons Learned

Building ransomware is easy – all you have to do is create an executable that traverses the file system and encrypts every file it sees. This isn’t outside of the skillset of a first year computer science student. Getting that code to work in a stable fashion across many different Windows systems without the necessary dependencies is harder and takes some practice.

Actual error message from Halloware execution.

The point is that you should expect to continue seeing ransomware. Even though Halloware was poorly written, it accomplished its mission if you happened to be unlucky enough to have a system with the right configuration. With slightly more experience, Halloware could have been a much bigger deal. Assuming that Lucifer keeps up his studies, he might very well be back in the near future.

Don’t have the money to pay ransom? Don’t have the time to deal with your files being stolen from you? Give us a shot. CryptoDrop has stopped every single piece of ransomware that we have seen, and on the first time we tested them. You can try us for free today. When your antivirus fails, We Stop Ransomware.



Halloware – A Deeper Dive

A new strain of ransomware popped up over the weekend: Halloware. We’ve been watching it for a few days to give you the scoop on what it does and how it operates. Let’s get to the most important point quickly:

CryptoDrop stopped this one the first time we saw it, just like we have every piece of ransomware we’ve ever seen. Halloware was able to encrypt 13 files before we stop it, but our Fast Recovery edition restores them in under one second.

Now let’s talk details. Halloware is a little different in that it is basically “ransomware as a service”. For $40, the author (“Luc1F3R”) will provide you with your own ransomware that allows you to [sic] “Create Your Own Ransomware Without Any Knowledge About Coding”. It also claims to “Bypass Every Anti Virus”, but it was certainly no match for CryptoDrop.


Halloware attempts to make a network connection to a server located in Utah. It’s extremely unlikely that the author of this particular piece of ransomware is actually located in the United States – Bleeping Computer guesses that Luc1F3R is likely based in India based on his/her GitHub account information. While this site had more content a few days ago, it appears to be dead now. However, before that happened, we were able to get to the next step of the ransom process.

Unsurprisingly, Halloware attempts to direct victims to a Tor Hidden Service (a.k.a. the “dark web”) to recover their files. The price of getting the decryption key is $150, and the attacker wants that payment in Bitcoin.

The image above is fairly informative about the quality of this particular piece of ransomware: from the missing image to the broken payment link, this is not a well put-together operation. In fact, there’s probably a reason that Luc1F3R is only selling copies for $40 – Halloware crashes frequently.

At the time we put this article together, it doesn’t actually appear to be possible to get your data back from this campaign. The ransom message no longer appears on any of the systems we tested. That means without CryptoDrop, you might be completely out of luck.

We don’t want to help the authors of this ransomware with any tips, but it appears as if our testing was far more extensive than theirs. Halloware can certainly encrypt files on many systems, but its stability varies greatly. Just like the website hints to, it is unlikely that these folks are professional software engineers. That doesn’t mean that it won’t get better with time or that you shouldn’t protect yourself now.

Time will tell if Halloware becomes a real threat. But there’s no need to wait and see – CryptoDrop stops Halloware without any issue. We’ve stopped WannaCry, Scarab, Cerber, and the list goes on and on.

Give us a shot – before the Halloware team gets their act together.

Join us – We Stop Ransomware