Ransomware - DHC

DHC
Aliases
DenisHatingClub
Decryptor Available
No
Description

DHC, or DenisHatingClub, is reportedly a variant of Hidden Tear, an open-source ransomware built for educational purposes by Utku Sen that has been leveraged by threat actors since 2015. However, upon analysis of a sample of DHC, it is determined that it is more closely related to EDA2, another open-source ransomware variant created by Utku Sen. Both of these open-source ransomware tools have similar functionality, but EDA2 is a bit more complex. For example, they both use AES-256-CBC to encrypt files, but EDA2, and its variants, employ RSA-2048-OAEP to encrypt the AES-256 key. Another example is the opportunity to change the victim's wallpaper. Nonetheless, saying that DHC is a variant of Hidden Tear is technically correct. The creator of DHC tweaked the source code quite a bit but retains all of the functionality of its predecessor.

The assumed intent of DHC is to target an individual named Denis in the Leningrad Oblast region of Russia. The extortion link listed below is a website created to dox and shame this individual, who was allegedly 12 years old at the time of the creation of this ransomware. The website includes information about this individual's family and other personal information, including screenshots of their interactions and sensitive information about their family. It's uncertain if this ransomware was created as a prank or if it targeted a select few individuals. Whatever the reason, the ransomware targeted a minor. So, that is the extent of the analysis, and we are stopping here.

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Lineage
Extortion Types
Blackmail
Direct Extortion
Extortion Amounts
Amount
0.001BTC($42)
Communication
Mittel
Bezeichner
Discord
Encryption
Type
Hybrid
Files
AES-256-CBC
Key
RSA-2048-OAEP
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
3Noaeg8zi1ErUeSf7YeM1eNWdaEdzJmADJ
File Extension
<file name>.<file extension>.<4 random alphanumeric characters>
Ransom Note Name
READ_IT.txt
Ransom Note Image
Samples (SHA-256)
10c43619167da0f0bfc8a55156544fb9d4bfc22a491b50b76aec519cfd3e3037
References & Publications