Hiddentear ransomware variant encrypts and gives files .poop extension


The SonicWall Capture Labs Threat Research Team have received reports of ransomware that encrypts files and gives them a .poop extenstion.  The malware is created based on the open source platform known as HiddenTear.  The operator charges 0.12277114 BTC ($1200 USD) for decryption.

Infection Cycle:

Upon infection, files on the system are encrypted and the desktop background is changed to the following image:

A window pops up with the following message:

The trojan is seen in the process list running as “Ranso”:

The trojan drops the following files onto the system:

  • %SYSTEMDRIVE%\Users\%USERNAME%\Desktop\READ_IT.txt
  • %SYSTEMDRIVE%\%USERNAME%\bg.jpg (desktop background image shown above)
  • %SYSTEMDRIVE%\%USERNAME%\Rand\local.exe (copy of original) [Detected as: GAV: Hiddentear.RSM_22 (Trojan)]

Encrypted files are renamed with “.poop” appended to their original filenames.

READ_IT.txt contains the following text:

The trojan makes the following DNS query:

  • hostfs1mai.temp.swtest.ru

The infection is reported to a remote server and leaks system information:


The ransom note suggests using Telegram to contact @CyberDexter, the operator. We had the following brief conversation via Telegram with @CyberDexter discussing payment:

The operator offers reassurence that they have control of decryption keys for their victims.

The transaction history for the supplied bitcoin address (1K3YKBq8qGrnmJ7TKkLbTiGL59UHBYh7LF) suggests that the operator may have had some success:


SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Hiddentear.RSM_22 (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.