HydraCrypt Ransomware Targets Brazil and Charges $5,000 for Decryption



The SonicWall Capture Labs threat research team has recently been tracking ransomware known as HydraCrypt. HydraCrypt originates from the CryptBoss ransomware family and was first seen in early 2016.  The sample that we analyzed demands $5,000 in Bitcoin for file retrieval, but no contact information is given to ensure this or to negotiate a price.  This variant of HydraCrypt is aimed at Brazil and claims to have successfully attacked many Brazilian firms.

The malware is written in .NET.  We can see the inner workings of the malware after decompilation. It first checks if an instance of itself is already running by looking for a mutex matching a specific pattern:

After passing the above check, the malware injects itself into svchost.exe and then proceeds to encrypt files:

Files on the system are encrypted.  Each encrypted file is given a random four-alphanumeric-character file extension.  After file encryption, a file called “read_it.txt” is dropped into directories containing encrypted files.  It contains the following message in Portuguese and is displayed on the desktop using Notepad:

The message roughly translates to:

” … :::: Legal warning :::: …

Due to numerous flaws in the company Infomach, you have suffered this ransomware attack.

We were indignantly indignant to all the customers of this company. For, as a company that supposedly sells security, has no security?

They live deceiving their customers, offering Pentest and delivering vulnerabilities scanner that solves nothing.

And another, besides selling cat by hare, like to entice the guys of IT. Giving goodies, taking to trips, paying dinners lunch anyway. If you are receiving this message, we suggest you look for a new Cyber security company most responsible.

This time our attack was very simple. Next time will lose everything: data, backup, and all your files will be leaked on the internet for everyone to download.

Infomach you are an amateur company that deceives your customers. Her owners is worth nothing. It is very rich selling dreams.

We did our homework, we studied all your steps to many, many years.

The price of the software is $ 5,000. Payment can be made only in bitcoin


Payment Information Amount: 0.08 BTC

Bitcoin Address: BC1QH2K3S6Z32V6787XN2QX4V655ZK5ZADP9ES4DTZ

Other customers who are exposed due to the incompetence of Infomach.

…. ”

A list of targeted directories can be seen in the code:

A list of targeted file extensions is also visible:

The malware takes several measures to disable system recovery:

An jpeg image is embedded in the malware file and is base64 encoded:

After being decoded and written to disk, it is set as the desktop wallpaper:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: HydraCrypt.RSM_1(Trojan)


This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.