HR ransomware

HR ransomware is a data locker that attacks Network-attached storage (NAS) devices via firmware vulnerabilities

HR ransomware is a data wiper that corrupts all the files on NAS device but asks for ransom for the recovery key

HR ransomware is a data wiper that corrupts all the files on NAS device but asks for ransom for the recovery key

HR ransomware is malware that was first identified by a security researcher Amigo-A in early March 2020. While its main goal exactly the same as other file locking viruses – to make victims pay for the decryption tool, this ransomware’s operation principle is a bit different – it only targets NAS (Network-attached storage) devices – so far, only Zyxel Nas326 model was seen being infected in the wild. Researchers believe that HR ransomware is injected into the machine using a firmware vulnerability that allowed the attackers to obtain root access.

HR ransomware developers ask users to pay 0.113 BTC to the 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX Bitcoin wallet and then email them via [email protected] to allegedly retrieve the decryption key that could unlock data. All the information is provided inside RANSOM_NOTE.txt file, which serves as message from the virus authors. Paying the ransom may be completely useless due to a different type of file modification method in comparison to regular ransomware infections.

Unlike regular ransomware viruses that target desktop computers running Windows, HR ransomware goes for NAS devices. In the wild, most of the infections occur on regular machines and their connected networks, although there have been other file-locking malware that was targeting NAS systems before, such as Muhstik, DecryptIomega, and others. Similarly to HR ransomware, these infections were proliferated with the help of software vulnerabilities.

HR ransomware targets the most common file types on the NAS system, including .jpg, .doc, .txt, .dat, .ppt, .mp4, etc., in order to cause maximum damage to victims. However, instead of encrypting files with a secure encryption algorithm,^[1] HR virus damages files by replacing their content with a string sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf. 

Each of such compromised files, regardless of its original size, turns into a 77kb size file and is appended with .HR or .hr.hr.hr extension. Despite that, researchers believe that the attackers may transfer the original files to their own servers, which may make the redemption possible. No documented recovery was yet tracked, although the Bitcoin wallet used by attackers already has two transactions.^[2]

After the encryption process, HR ransomware victims can find the following ransom note:

The harddisks of your computer have been encrypted with an Military grade encryption algorithm.
There is no way to restore your data without a special key.
Only we can decrypt your files!
To purchase your key and restore your data, please follow these three easy steps:
1. pay exactly 0.1130 BTC to this Wallet : 3MAqy8bi5SGrfYAzhavTjZWRNBsLvgZ8sX
2. Once payment has been completed, send email to [email protected] .send this id as content of email : 1mk8hjkn2old3
We will check to see if payment has been paid.
3. You will receive a text file with your KEY that will unlock all your files.
IMPORTANT: To decrypt your files, place text file on desktop and wait. Shortly after it will begin to decrypt all files.
WARNING:
Do NOT attempt to decrypt your files with any software as it is obselete and will not work, and may cost you more to unlcok your files.
Do NOT change file names, mess with the files, or run deccryption software as it will cost you more to unlock your files-
-and there is a high chance you will lose your files forever.
Do NOT send “PAID” button without paying, price WILL go up for disobedience.
Do NOT think that we wont delete your files altogether and throw away the key if you refuse to pay. WE WILL.

Email: [email protected]

Unfortunately, due to the nature of the attack, believing cybercriminals should not be an option. Even if HR ransomware authors transfer all the healthy data to their own servers, it is important to note that their storage will run out of space eventually (NAS devices typically store a large amount of data).

HR ransomware is a type of malware that attacks NAS devices via firmware vulnerabilities

HR ransomware is a type of malware that attacks NAS devices via firmware vulnerabilities

Nevertheless, because many users may be unaware of these circumstances, HR ransomware developers may use it as a means for blackmail. Those who pay the ransom may end up scammed. Unfortunately, the affected files located on the device are damaged, and no recovery software will retrieve them.

The best advice would be to remove HR ransomware from the machine to prevent the incoming data compromise. For that, victims should employ powerful security software and perform a full system scan. In case your system is malfunctioning even after HR ransomware removal, repair it with Reimage Reimage Cleaner .

Vulnerabilities allow malware to penetrate systems automatically

Software vulnerabilities are essentially “weak spots” within the code that can be used for various purposes. By exploiting these flaws, malicious actors can escalate privilege, disable security software, implant malware, and perform many other actions (depending on the severity of the vulnerability).

Vulnerabilities that are exploited in the wild are called Zero-day^[3] flaws, which means that they have not yet been fixed by the responsible party (essentially, developer of the software). Ransomware that attacks NAS devices is typically spread by using zero-days, so there is no way to mitigate the attack vector until the developer fixes the flaw and then releases a security patch.

Therefore, we strongly advise not using Zyxel Nas326 for the time being until the vulnerability is patched. As a minimal precautionary measure, the stored data should be backed on another storage device until the flaw is fixed.

HR ransomware changes the size of each of the file to 77kb and replaces the contents with sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf, corrupting data in the process

HR ransomware changes the size of each of the file to 77kb and replaces the contents with sdsdfvjregjnuituergburiaylrgfreg784r78q3784rtgoyfp027r8go8graofbhsldcdyrfo7gf, corrupting data in the process

Delete the HR ransomware infection from your NAS device

Since HR ransomware virus is a relatively new infection, not much is known about its operation or even HR ransomware removal methods. Therefore, we first suggest to install a reputable anti-malware program and perform a full system scan via the App Center functionality. Additionally, you should also change all the passwords related to the device, remove unknown user accounts, get rid of unwanted apps, and set an access control list via Control Panel > Security > Security level.

However, if you could not remove HR ransomware from the system by using anti-malware, you might have to perform a full factory reset by going to the following path: Control Panel > Service > Maintenance > Configuration Backup > Factory Reset.

As for HR ransomware affected files, currently, there is no solution available, as the data gets corrupted. We suggest waiting till security researchers find out more about this data wiper.