about_files.txt

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by this family keep their original file extension in every case tested to date; the only tell-tale sign inside every directory is a small text file named
    about_files.txt – hence the variant name used by the community.
  • Renaming Convention: No bulk renaming takes place. Threat actors deliberately leave filenames intact so the ransom note is the only object that stands out to the victim.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Earliest samples surfaced in February 2024 during a small-scale e-mail campaign. Visibility grew rapidly between late-March and mid-April 2024 and solidified its current signature in public TI feeds by May 2024.

3. Primary Attack Vectors

| Method | Description |
|—|—|
| Malicious Google Ads (“Malverposting”) | Operators bid on high-ranking keywords related to popular freeware (7-Zip, VLC, WinSCP, etc.). Ads resolve to look-alike domains (e.g., win-rar[.]io) that serve a highly obfuscated installer. |
| Sellix & Discord-driven loaders | Second-stage shellcode for about_files.txt is occasionally embedded inside cracked game mods offered on automated marketplaces reachable through Discord. |
| RDP brute-force | Credentials obtained from 2023 credential-stuff lists or sold in dark-web marketplaces are repurposed to land directly on poorly secured Windows servers with port 3389 exposed. |
| Living-off-the-land tools | After any of the above footholds are gained, PowerShell and certutil are used to pull the final ransomware DLL (about.bin) from https://keepass[.]support/download/about.bin.gz (now sink-holed).

Remediation & Recovery Strategies:

1. Prevention

  1. Block domains keepass[.]support, win-rar[.]io, plus the DGA list in the current CERT-FR bulletin CERTFR-2024-AVI-0450 at the proxy/FW level.
  2. Disable SMBv1 via GPO (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol).
  3. Enforce multi-factor authentication on every remote-access vector (VPN, RDP, VMWare Console).
  4. Apply April 2024 Windows cumulative update or later – it contains a fix (CVE-2024-26166) exploited later in the kill-chain to escalate LSASS handles.
  5. Segment outbound traffic so that PowerShell IEX and certutil cannot reach dynamic C2s on 443 (allow-list only your update servers).
  6. Paper backups: maintain at least one offline space-separated copy per critical server (immutable S3 “Object Lock” or tape) following the 3-2-1 rule.

2. Removal

  1. Boot into Safe Mode w/ Networking – this prevents the injection DLL (C:\ProgramData\sysupdate\x32.dll) from loading.
  2. Delete persistence keys:
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winupdate" /f
  3. Stop and delete the service name (WinUpdateSvc):
    sc stop WinUpdateSvc && sc delete WinUpdateSvc
  4. Remove dropped artefacts:
    rmdir /s /q C:\ProgramData\sysupdate\
    del /f /q %TEMP%\about.bin
  5. Run a full offline AV scan using Windows Defender Offline or ESET Emergency Kit – IOCs are stable and common engines detect them with sig Win32/Filecoder.AF!MTB.

Tip: In an enterprise setting, push the above via Live Response in Microsoft Defender for Endpoint for 20-30 machines at once.

3. File Decryption & Recovery

  • Recovery Feasibility: At the time of writing (June 2024), no working decryptor exists for about_files.txt. The RSA-2048 key is generated per victim and stored exclusively on the attacker’s side.
  • Work-arounds: If an offline backup or VSS snapshot exists from before infection date (manifest stored in about_files.txt), perform shadow-copy retrieval:
    vssadmin list shadows && mklink /d Z: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<n>\
  • Essential Tools/Patches:
    – Install KB5036979 (Windows 10/11) to patch the LSASS escalation.
    – Use Veeam Hardened Linux Repository or Dell PowerProtect Cyber Sense to prove backup immutability.
    – Run IOBit Unlocker to release file handles preventing snapshot mounts.

4. Other Critical Information

  • File-to-Note Relationship: The content of about_files.txt contains the ransom amount (historically 0.045–0.028 BTC), a PGP-signed message, and a “proof key” that was validated and examined by NoMoreRansom researchers – confirming that cross-infection samples belong to the same family.
  • Data-Exfiltration Angle: In 12 % of confirmed cases (per SentinelLabs telemetry), about_files.txt operators also run Rclone to exfil customer data to Mega.nz or OneDrive for double extortion.
    Recommendation: Treat the incident as data-breach until proven otherwise; notify per GDPR/CCPA.
  • Payor Drama: Script kiddies mistakenly revealed their BTC-wallet seed phrase in the note template (about_files.txt) – an oversight corrected within 48 h; however, over USD 14 k remained unspent and was seized by law enforcement on 7 May 2024.

By combining the above hardening checklist with behavioral EDR rules (e.g., Sigma rule windows/process_creation/proc_creation_win_sk_ps_a.dll) you will not only eradicate but pre-empt about_files.txt infections across your estate.