HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research Palo Alto team observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.
Unit 42 performed an in-depth analysis of the ransomware samples, the obfuscation and execution from this ransomware family, which contains very similar core functionality to the leaked Babuk/Babyk source code. It was also observed that one of the samples deployed MicroBackdoor, an open-source backdoor allowing an attacker to browse the file system, upload and download files, execute commands, and remove itself from the system. Pako Alto researchers believe this was likely done to monitor the progress of the ransomware and maintain an additional foothold in compromised systems.
Source: Palo Alto/Unit 42