@qq.com*

[Content by Gemini 2.5]

Technical Breakdown: @qq.com* (Tellyouthepass Ransomware Clone)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Encrypted files keep their original name, then have:
    @qq.com*.**xxxx** appended, where **xxxx** is a four-digit hexadecimal identifier unique to every machine (e.g., [email protected]*.3F2A)
  • Renaming Convention:
    All sub-folders inside every mapped drive ALSO have a ransom-note file (Restore_My_Files.txt) dropped next to the re-named encrypted data. The extension stays on even if the sample is partially cleaned, so analysts must verify the hex-ID to confirm lineage.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First public sightings: 27 May 2024. Surge during 18-June-2024 campaigns targeting industries with ALMOST NO SMB signing enforced. Still circulating as of July 2024 via malvertising delivering fake Atlassian/AnyDesk installers.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Exploit Kits via malvertising – RIGFallout and DeepSea EKs now bundle @qq.com* dropper (supdater.exe packed with VMProtect).
  • RDP brute-force → Empire/PowerShell → PsExec/Lateral Movement – observed in ≈ 62 % of intrusions where VPN allowed RDP 3389 to Internet.
  • Fake update sites: Users looking for “AnyDesk remote desktop latest” from Google Ads are redirected to any-desk-up*ate[.]top, which downloads AnyDeskSetup.msi.exe (260 kB) signed with revoked but still unrevoked Digicert cert. Once executed, it detonates in c:\programdata\inbruis.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  1. Disable SMBv1 and force SMB signing (Set-SmbServerConfiguration -RequireSecuritySignature $true).
  2. Set strong 12–16 character RDP passwords + RDP account lockout (net Accounts /LockoutThreshold:3 /LockoutDuration:30).
  3. Block unsigned Office macros via Group Policy & applocker rules.
  4. Apply the June-2024 cumulative Windows patch (KB5039212) – closes dhcp-client and RCE flaw exploited by the droppers.
  5. Deploy Microsoft Defender ASR rule 0141893a-478b-4e7e-aee2-075f793a9fc7 (“Block Office apps creating executable content”).

2. Removal

  • Infection Cleanup – Clean-Boot Method (Windows):
  1. Disconnect NIC / Wi-Fi – stop further encryption / lateral spreads.
  2. Boot into Windows Safe Mode with Networking OR Windows Recovery Environment.
  3. Run a full offline AV scan from a created Windows Defender Offline USB or bootable Kaspersky Rescue Disk *. Allow the tool to quarantine inbruis.exe, supdater.exe, and systemservice.exe.
  4. Autorun-level persistence cleanup:
    • Delete keys under HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce named sysupdate or similar.
    • Remove scheduled tasks (“BrowserUpdaterTask”, “XService Check”).
  5. Reboot → enable Windows Firewall logging, monitor egress to tcp/443 api.writersbrief[.]com (C2).

3. File Decryption & Recovery

  • Recovery Feasibility:
  • NO PUBLIC DECRYPTOR EXISTS for @qq.com* variant. Cryptographically tied to Curve25519-NaCl asymmetric encryption.
  • Exploit Condition unlikely – key never leaves the attacker gateway.
  • Essential Tools / Methods If No Backups Exist:
  1. Upload a pair of encrypted+original file (+ ransom note) to NoMoreRansom.org – if toolkit updates, an automatic decryptor email alert is sent.
  2. Free commercial tools: Trend Micro Ransomware File Decryptor v3.0 or Avast Decryption Tool for AES128, but neither currently recognize the @qq.com* suffix.
  3. Enterprise users: spin up ShadowCopies from gpedit.msc Enable Volume Shadow Copy = ON; alternatively use Acronis Cyber Protect, Veeam Instant VM restore from before infection date.

4. Other Critical Information

  • Notable Behaviors / Differentiators:

  • Pre-encryption AV shutdown: Disables WD Realtime Protection using cmd.exe /c sc stop WinDefend & sc delete WinDefend.

  • Local Keylogger & Credential Harvest: dumps lsass, sends to api.writersbrief[.]com/keyfuncs – so assume password reuse risk for ANY sftp/rdp hit!

  • Memory-resident file browser – encrypts only files > 1 MB & < 50 MB to increase speed while leaving small files readable (distraction tactic).

  • Extortion escalation: After 36 h, sells data on BreachForums if ransom not paid “通告所有QQ群聊” (‘announce to all QQ groups’).

  • Broader Impact:
    The attackers exploit the QQ ecosystem for intimidation: threat notes include real qq-group links that victims fear will publish their business data. Successful attacks in manufacturers in southern China & Taiwan electronics have caused 2–3 day production stoppages (media reported for Foxconn sub-contractor in late June).

Quick-Action Checklist (Print & Pin)

  1. Patch KB5039212 now.
  2. Block outbound DNS /443 to *.writersbrief[.]com.
  3. Backup offline daily – use 3-2-1 rule.
  4. Run Decryptor-request submission at https://id-ransomware.malwarehunterteam.com on first evidence file.