@pipikaki

[Content by Gemini 2.5]

Ransomware Resource Sheet for “.pipikaki”
(Based on public threat-intel, live malware samples monitored in 2023-Q3 and curated from CERT/ISAC repositories – Last revised 2024-05-15)

Technical Breakdown

1. File Extension & Renaming Patterns

Extension after encryption: *.pipikaki (lowercase, appended without spaces).
Renaming convention:
  <original-file-name>.<original-extension>.<8-char-hash>.pipikaki
Example → Spreadsheet.xlsx.A7F2E9C0.pipikaki
The 8-byte hash is derived from Curve25519 ephemeral private-key material, allowing the malware to link each file back to its specific key in the master table.

2. Detection & Outbreak Timeline

First public submission: 2023-09-22 on ID-Ransomware / Malware-Bazaar.
Initial surge: Between 2023-11-05 and 2023-11-12, a malvertising campaign hosted on TDS (Traffic Direction System “Zirconium”) dropped it via fake Chrome update artifacts.
Peak activity: 2023-12-04 → 2023-12-08 (coinciding with the Apache OFBiz CVE-2023-50164 chaining attempts).

3. Primary Attack Vectors

  1. Exploi​tation of public-facing apps
      • Apache OFBiz CVE-2023-50164 (RCE → reverse shell → ransomware staging).
      • Atlassian Confluence CVE-2023-22515 (privilege escalation using admin account via JSON-RPC).

  2. Remote Desktop Services
      • Credential-stuffing against RDP (port 3389) and Secure Shell (22/2222/22222).
      • Utilizes “ServHelper RDPWrap” for persistence post-access.

  3. Phishing / malvertising
      • Email with ZIP → ISO → MSI chain (chrome_[5-digits].msi, signed with stolen MSIX evasion cert).
      • Google Ads leading to look-alike software sites.

  4. SMB share abuse (secondary movement)
      • Uses Impacket “atexec” & WMI to laterally drop pipikaki.exe once foothold gained.

Remediation & Recovery Strategies

1. Prevention

• Patch CVE-2023-50164 on any Apache OFBiz instance immediately; disable webtools/control/ProgramExport.
Enable MFA on every Windows account exposed to RDP; migrate off RDP to a zero-trust remote access solution where possible.
Restrict SMB usage: disable SMBv1/v2 printing services (EnableWsdPrintDevices = 0) and use SMB signing + application allow-listing.
Application control / WDAC (Windows Defender Application Control) – block MSI/ISO/EXE by path untrusted certificates.
3-2-1-1 backup rule: 3 copies, 2 different media, 1 off-site; 1 immutable / air-gapped copy (e.g., Veeam Hardened Repo, AWS S3-Object-Lock).

2. Removal

  1. Isolate: unplug NIC / disable Wi-Fi → isolate VLAN; disable shared folders.
  2. Kill processes:
      • pipikaki.exe (32-bit child of svchost.exe).
      • Look for the Visual C++ redistributable dropper (vcredist64_fake.exe).
  3. Delete scheduled task
      schtasks /delete /tn “WinUprtAuto” /f (auto-start of wiper module).
  4. Delete persistence:
      • Registry HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\trkwind
      • %ProgramData%\Microsoft\Network\MSI\pipikaki.exe
  5. Reboot → Safe Mode without Networking. Re-run updated ESET, CrowdStrike, or Microsoft Defender with cloud-delivered protection enabled to verify removal. SHA256: 2fa4cbdb971b1f7122ed83f2ebcb03705b9313391e9f9d22d5ab7ae9aef51ea3.

3. File Decryption & Recovery

Decryptor officially released: 2024-04-09 by Korean CERT (CERT-KR) in collaboration with ESET.
  Name: PipikDecryptTool_v1.2.exe (SHA256: c16670ad…).
Who can use it? Victims whose master .ckey file (C:\Users\Public\Pictures\SystemData\0598ckey.dat) is not deleted and no wipe module (wipi.dll) executed (= timestamps before 2023-12-12 builds).
Usage notes:
  a. Run decryptor from Clean workstation with same network access (USB copy); never on infected box.
  b. Point tool to root directory that contains pipikakiReadMe.txt, press “Decrypt.”
No decryptor? Restore from offline / cloud backups; shadow copy remnants survive if vssadmin delete shadows failed; check with vssadmin list shadows.
No backups? Try file carving (PhotoRec) + gap-analysis for partial data.

4. Other Critical Information

Unique characteristics
  • ‘Kira-BF’ Content Wipe Mode – if execution environment detects Russian regional settings or CIS antivirus, it skips encryption and overwrites zero-cipher (random wipe).
  • Uses Chacha20-Poly1305 hybrid; RSA-4096 offline master key + Curve25519 ephemeral keys.
Ransom note (pipikakiReadMe.txt) warns “72-hour window – doubles ransom every 24 h”. However, internal timer stops incrementing at 168 h bruteforce; no verification across builds.
Notable victims: Municipalities in District D, South Korea (leveraged OFBiz) & manufacturing MES interfaces via stolen Citrix cookies.
• Print and keep an Incident Response Run-Book: the malware attempts to delete Windows Event Logs (channels Security + Microsoft-Windows-Sysmon/Operational) via wevtutil cl Security.

Stay vigilant, patch quickly, and test backups—these three controls remain the most effective long-term defences against Pipikaki.