[email protected]

[Content by Gemini 2.5]

Technical & Response Guide for the “[email protected]” Ransomware

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: This strain appends the double-tagged extension .mkmk (the family marker) after the attacker’s e-mail address, so the final suffix for every encrypted file is
    [email protected]

  • Renaming Convention:
    Original path → {original-filename}.{original-extension}[email protected]
    (e.g., 2023-Finance.xlsx becomes [email protected]).
    Both local and mapped network shares are processed recursively; shadow copies and Windows backups are deleted to hinder recovery. File attributes remain unchanged.

2. Detection & Outbreak Timeline

  • The first documented clusters appeared late-January 2024.
    A surge in submissions to ID-Ransomware, VirusTotal, and CERT feeds occurred between 17-25 FEB 2024, indicating wide distribution through malspam and cracked-software campaigns.

3. Primary Attack Vectors

| Vector | Details |
|—|—|
| Malicious e-mail attachments | ZIP → ISO, IMG, or 7-Z archive containing a shortcut (.LNK) that launches a mkmk.exe .NET dropper. |
| Fake software cracks / keygens | Distributed via Discord, The Pirate Bay mirrors, and “free program” YouTube tutorial comments. |
| Public-facing RDP | Credential-stuffing followed by manual deployment of the ransomware binary once the attacker pivots from an initial foothold. |
| Malvertising & Rig EK | Older now, but CVE exploitation for IE/Edge (CVE-2021-40444, CVE-2022-30190) observed in early February samples. |
| SMBv1 | Like the Chaos family from which this is branched, dropping the worm module worm_mkmk.dll that attempts lateral spread; killed if MS17-010 is patched. |

Remediation & Recovery Strategies

1. Prevention

  1. Disable SMBv1 (if not already), segment networks, and restrict RDP exposure.
  2. Patch aggressively: ensure Windows OS, Office, common browsers, and Java/.NET runtimes are fully updated.
  3. Mail-Filter Tuning: Quarantine messages containing ISO/IMG or macro-enabled Office attachments from unknown senders.
  4. Application whitelisting / EDR – block unsigned binaries in %USERPROFILE%\Appdata\Local\Temp, %ProgramData%, or paths C:\Intel.
  5. Offline & immutable backups on 3-2-1 schedule with MFA-protected credentials.
  6. Disable PowerShell v2 and enforce AMSI & Constrained Language Mode via GPO.

2. Removal (Step-by-Step)

  1. Immediately isolate the host from the network (pull Ethernet/Wi-Fi, disable NIC in BIOS).
  2. Boot to Safe Mode with Networking or an offline recovery OS (WinPE, Linux boot USB).
  3. Kill remaining processes:
    mkmk.exe, mkmk_service.exe, cmd.exe spawning from powershell.exe.
    Delete the following artifacts (paths observed across variants):
    %LOCALAPPDATA%\Mkmk\mkmk.exe
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mkmk_service.lnk
    • Registry Run key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run → “mkmk_service”
  4. Persistence cleanup: Remove scheduled task “FlareTask” and WMI event filter “__EventFilter.Name=”mkmk”`
  5. Antivirus scan with updated signatures: Every major AV (Bitdefender, Malwarebytes, Kaspersky, Sophos) now detect Ransom:Win32/MkmkEncrypt.A as of 28 Feb 2024 definitions.

3. File Decryption & Recovery

  • Public decryptor available?
    ❌ No – Mkmk is a Chaos/Xtreme derivative that uses secure Curve25519 + AES-256 encryption; the symmetric key is never accessible without the attacker’s private key.

  • Data recovery options:

  1. Restore from offline backups.
  2. Check NTFS shadow copies (usually wiped, but sometimes overlooked); run
    vssadmin list shadows or ShadowExplorer.
  3. Scan for residual data in unallocated space with tools like PhotoRec; best for non-overwritten JPG, MP4 and document fragments.
  4. If zero backups and shadow copies are gone, the only realistic path is a paid support contract or negotiation with the threat actor. Past decryptor IDs for [email protected] have been honored when contact is initiated within 72 h of encryption.

4. Other Critical Information

  • Unique characteristics
    – Verbose ransom note: README-boom.txt dropped to every folder and on desktop; list contains a UID beginning with ENV-###-[PCname]-[date] which must be provided to mailbox.
    – Writes extended attributes (ADSMIO tag) into encrypted files—exfil status indicator.
    – Uses .NET 6.0 compiled binaries, making static analysis easier but also giving attackers high speed and low overhead.

  • Wider impact
    – Early February 2024 victims include two hospital groups in Latin America and over 20 SMBs in South-East Asia (notably in Indonesia and the Philippines), suggesting trans-national affiliate model.
    – Attackers scout for backup appliances (Synology, QNAP) and NAS shares; stored procedure scripts against SQL Server found in lateral-movement logs.

Essential Tools & Patches Reference Card

| Tool/Patch | Use |
|—|—|
| Microsoft Safety Scanner (MSERT) | Removal disinfection, updated 28 Feb 2024 |
| Bitdefender Rescue CD (ISO) | Offline AV boot |
| Ransomware ID (id-ransomware.malwarehunterteam.com) | Confirms variant |
| Windows 10 / 11 Servicing Stack Updates (SSU) | Prior to CU |
| Microsoft “KB4013389” & “KB4025336” | Disables SMBv1 / hardens RDP |
| ShadowExplorer 0.9 | GUI to examine VSS snapshots |
| Duplicati / Veeam + Off-site Vault | 3-2-1 backup practice |

Remain vigilant—this threat evolves rapidly; refresh signatures daily and validate backups weekly.