Threat Research

Decrypted: HomuWitch Ransomware

GenDigital

HomuWitch is a C# .NET ransomware that primarily targets individual users via a SmokeLoader backdoor disguised as pirated software, compresses files with Deflate and encrypts them with AES-CBC appending the .homuencrypted extension. Avast discovered a flaw in HomuWitch’s encryption and released a free decryptor together with IoCs and C2 server details to help victims recover files. #HomuWitch #SmokeLoader

Keypoints

  • HomuWitch first appeared in July 2023 and focuses on end users rather than enterprises.
  • Infection typically follows execution of pirated software that installs the SmokeLoader backdoor and a malicious dropper.
  • The ransomware enumerates drives (skipping drives >3,500 MB), targets user Pictures/Downloads/Documents, and limits files to certain extensions and sizes under 55 MB.
  • Files are compressed with Deflate then encrypted using AES-CBC, and renamed with a .homuencrypted extension; resulting files may be smaller than originals.
  • Before encryption, HomuWitch communicates with CnC servers (mostly Europe) and sends system identifiers like computer name, country code, keyboard layout, and device ID.
  • Ransom demands are low ($25–$70) payable in Monero; ransom notes are retrieved from CnC or embedded in resource sections.
  • Avast identified a vulnerability in HomuWitch’s encryption and released a free decryptor with instructions and published IoCs on GitHub.

MITRE Techniques

  • [T1204] User Execution – Infection occurs via users running pirated software that delivers SmokeLoader: [‘victims are usually infected via a SmokeLoader backdoor, masked as pirated software’]
  • [T1105] Ingress Tool Transfer – A malicious dropper is installed and used to execute the HomuWitch ransomware: [‘installs a malicious dropper that executes the HomuWitch ransomware.’]
  • [T1083] File and Directory Discovery – The malware enumerates drive letters and selects user directories for encryption: [‘drive letters are enumerated and those with a size smaller than 3,500 MB … and current user’s directories for Pictures, Downloads, and Documents … are considered in the encryption process.’]
  • [T1486] Data Encrypted for Impact – HomuWitch compresses and encrypts user files, appending a distinct extension: [‘transforms the files with combination of Deflate algorithm for compression and AES-CBC algorithm for encryption, appending .homuencrypted extension to the filename.’]
  • [T1071] Application Layer Protocol – Uses command-and-control infrastructure to communicate with remote servers: [‘It is also using command-and-control (CnC) infrastructure for its operation, mostly located in Europe.’]
  • [T1041] Exfiltration Over C2 Channel – Sends system-identifying information to CnC servers prior to encryption: [‘HomuWitch sends the following personal information to its CnC servers: Computer name, Country code, Keyboard layout, Device ID’]

Indicators of Compromise

  • [SHA256 hashes] Sample binaries – 03e4f770157c11d86d462cc4e9ebeddee3130565221700841a7239e68409accf, 0e42c452b5795a974061712928d5005169126ad1201bd2b9490f377827528e5d, and 9 more hashes
  • [IP addresses] Command-and-control servers – 78.142.0.42 (US), 79.137.207.233 (Germany), and 2 more IPs
  • [File extension] Encrypted files – .homuencrypted (appended to encrypted filenames)
  • [URLs] Tools and IOC repositories – decryptor: https://files.avast.com/files/decryptor/avast_decryptor_homuwitch.exe, IoCs: https://github.com/avast/ioc/tree/master/HomuWitch

HomuWitch is delivered when users run a masked installer (pirated software) that deploys SmokeLoader and a dropper which executes the ransomware binary (C# .NET). On execution the malware enumerates local drive letters (skipping drives larger than 3,500 MB) and focuses on user folders (Pictures, Downloads, Documents); it selects files with specific extensions and sizes under 55 MB, compresses each file with Deflate, then encrypts the compressed data using AES-CBC and appends the .homuencrypted extension. Prior to encryption the binary contacts remote CnC servers (primarily in Europe) and sends identifying details such as computer name, country code, keyboard layout, and device ID; ransom notes are obtained from CnC or embedded in the sample and demands are typically $25–$70 in Monero.

Avast identified an implementation weakness in HomuWitch’s encryption that allows full recovery of affected files and published a free decryptor. To use the decryptor: download the executable, run the wizard, select the drives or locations to scan, and provide one original file alongside its encrypted counterpart to allow the tool to determine the correct password. Start the password-recovery step, and once the password is found proceed to decrypt all files; enabling the default backup option is recommended before decrypting in case restoration is needed.

Read more: https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/