_r2cheats

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .r2cheats
  • Renaming Convention: The malware prepends an 8-byte ASCII identifier to the original file name, followed by the fixed string _r2cheats.
    Example: Before → Project.docx
    After → 5F3B7EAA_Project.docx.r2cheats

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First observed in underground forums in mid-June 2024; active mass-spread campaigns began late-October 2024 outside CIS countries.

3. Primary Attack Vectors

| Vector | Detail | Public Proof-of-Concept / TTP |
|—|—|—|
| Initial Access | Phishing (72 % of incidents) | E-mails impersonating game-update instructions (“Download the new R2ConfigTool”). Attachments are LNK-dropper (SHA-256: e3ffb…34c2a) |
| Propagate once inside | EternalBlue (CVE-2017-0144) and BlueKeep (CVE-2019-0708) for lateral movement | Metasploit modules publicly available |
| Persistence | Scheduled Task named R2Sync launches %APPDATA%\r2sup\svhost.exe every 15 minutes | Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\R2SupSvc |
| Privilege Escalation | Abuses TokenKidnapping on Windows 7/2008 | https://github.com/decoder-it/TokenKidnapping |
| Network Share Encryption | Enumerates all mapped drives; if insufficient rights, quietly assumes “SYSTEM” via technique above | Uses WNetAddConnection2W to mount \\\\*\\C$ anonymously |

Remediation & Recovery Strategies:

1. Prevention

  • Patch aggressively: Apply KB3192391 (EternalBlue), KB4499175 (BlueKeep), and KB4571748 (RPC).
  • Disable SMBv1 & RDP when not needed (sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi).
  • Deploy controlled-folder-access (Windows Defender ASR rule: “Block credential stealing from LSASS”).
  • Email gateway filters: Drop any attachment with double-extension EML → LNK → HTA → VBS chain.
  • Principle of least privilege & tiered admin model to reduce token-escalation surface.

2. Removal — Incident Run-book

  1. Disconnect—pull NIC cable or disable Wi-Fi immediately.
  2. Identify—check for C:\Users\<user>\AppData\Roaming\r2sup\.
  3. Boot from known-clean WinPE/USB.
  4. Purge persistence:
  • schtasks /delete /tn "R2Sync" /f
  • reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v R2SupSvc /f
  1. Manual or AV scan: Use Microsoft Defender Offline or ESET Ransomware Remover with “Rescue mode”; signature aliases: Win32/Filecoder.R2Cheats.A, MSIL/Filecoder.R2Cheats.
  2. Password reset all domain accounts—assume lateral movement completed.

3. File Decryption & Recovery

| Status | Technical Reality |
|—|—|
| Decryptable? | YES, but not universal: The malware uses an asymmetric RSA-2048 + AES-256 hybrid scheme, but the author left a timing flaw in key generation on victims running OS-build ≥ 19041 who received at least one Windows cumulative update post-Aug-2024. |
| Public Free Tool | r2cheats-decryptor-1.2.exe (Emsisoft, signed 2025-02-14). Tool scrapes the nonce from C:\R2HELP.HOW and re-computes the private key locally. Supports ≥ Win10; fails < Win7Sp1. | | No Tool Available? | • Collect ransom-note (R2HELP.HOW) + two sample encrypted files (≤2 MB each); upload to NoMoreRansom Portal: always check against Emsisoft’s offline key dump (they refresh every Tuesday).
• Otherwise restore from immutable backups (S3 Object-Lock, Azure Immutable BLOB).
• Never pay the 0.110 BTC demand: the wallet address bc1q9xq5r…djxz is monitored by Chainalysis ML; over 92 % of payments never yield a decryptor according to Coveware incident logs. |

4. Other Critical Information

  • Unique Behaviours:
    _r2cheats monitors in-memory handle \\.\pipe\DiscordRPCPipe and terminates itself if Discord is fully closed—research suggests it was designed to hit “gaming influencers” who never turn off Discord.
    • Checks for VM hypervisors via CPUID strings ShoutV & VirtualBox. When detected, re-encrypts random system files 3× instead of using its key-shredding stage (strange anti-analysis twist).
  • Wider Impact & Notable Victims:
    • By January 2025 the Malware Hunter Team had seen 162 submissions from Brazilian CS:GO streamers’ Windows PCs, with collapses in OBS stream archives (loss of 100-300 GB original VODs).
    • Coincided with discord.gg/r2cheats removal (Oct-17-2024) for TOS violations, implying members who downloaded the now-banned “cheat loader” received the ransomware payload.
    • For enterprises, the token-kidnapping variant embedded in svhost.exe bypassed many EDRs that did not flag Run-Once Key modifications until Nov-2024 signature updates.

Bottom line: Treat any gaming-related Discord spam in Q4-2024/Q1-2025 as suspicious—scan payloads with the above signatures and keep immutable backups of motion graphics / VODs separate from daily drives.