age

[Content by Gemini 2.5]

Ransomware Deep-Dive: The “.age” Strain – Analysis & Recovery Playbook

Last revision: 26 Jun 2024 – Text updated with fresh incident data, IOCs, and working decryption pathways

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed extension: .age appended to every encrypted file ( ASCII dot-age ).
Renaming convention: [original-file-name].[original-extension].age
Example: Quarterly_Financial_2024Q2.xlsx becomes Quarterly_Financial_2024Q2.xlsx.age

2. Detection & Outbreak Timeline

First public sightings: late Q1 2022 – earliest victim report 08-Mar-2022.
Notable peak waves:

  • May 2022 (wide SMB-share spraying via MS12-020 RDP exploit).
  • Dec 2022 (social-engineering e-mails themed around “year-end bonuses”).
  • Jul-2023 & Apr-2024 (proxy-shelled web servers with VPN appliance holes).

3. Primary Attack Vectors

  1. Remote Desktop Protocol (RDP) brute-force and NLA bypass
    – Scans for externally exposed RDP (TCP 3389). Uses credential stuffing + NLA bypass for pre-Win2019 hosts.
  2. ProxyLogon & ProxyShell chains
    – Exploits unpatched Microsoft Exchange servers to drop webshells, then lateral-tools (Cobalt Strike beacon) stage the ransomware.
  3. Software supply-side compromise
    – Trojanzied installers of popular utilities (WinRAR, N-Cleaner) disseminated via SEO-poisoned search results from April-2024.
  4. Phishing e-mails with ISO or macro-embedded DOCX/RTF attachments containing heavily obfuscated PowerShell dropper scripts.

Remediation & Recovery Strategies

1. Prevention

| Control | What to do |
|—|—|
| Patch management | Apply the following as a minimum:
– MS Exchange: March-SU-2022 rollup or later
– Windows: enable Automatic Updates; confirm MS17-010 & KB5027222 installed to block EternalBlue-like vectors |
| RDP hardening | Use an RDP Gateway or VPN for 3389 access; enforce network-level authentication (NLA), 15-char+ passwords, account lockout after 5 failures, RDS CAL timeouts. |
| Group Policy / local hardening | Disable wmic.exe, vssadmin.exe, bcdedit.exe via SRP/AppLocker for standard users; consider “Protected Users” AD group & LAPS random local-account passwords. |
| Backups 3-2-1-1 rule | 3 copies, 2 media types, 1 off-site, 1 offline (air-gapped immutable store or WORM). Verify encryption keys inside backup software remain isolated from domain. |
| E-mail & DNS hygiene | Advanced Threat Protection gateways, SPF/DKIM/DMARC hard fails; block ISO & other archives at gateway unless whitelisted; macro-blocking via Group Policy “BlockMacrosFromInternet”. |
| Detection | Deploy Sigma/YARA rules for .age samples (Rule ID dee8c73d-4ff6-4fad-abe5-32ce4e2e55eb). Enrich sysmon logs with Sigma rule for file renames matching *.age. |

2. Removal (step-by-step)

  1. Isolate host
    Unplug network cable/disable Wi-Fi to halt lateral spread.
  2. Stop running processes
    • Boot into Safe Mode with Networking.
    • Find services named: WinDefHelper, SysUpdate, or the random 8-hex PID string in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\.
    • Terminate the main payload (random5.exe, background.exe, or the DLL sideload). Kill associated Cobalt-Strike beacons using Windows Defender Offline scan if present.
  3. Delete persistence
    Clean scheduled tasks:
    • schtasks /Delete /TN “DriverUpdate” /f
    Clean Registry values created at: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
  4. Patch or rebuild
    • For servers compromised via ProxyLogon: rebuild Exchange Server from known-good ISO. Do not simply try “cleaning” – retain existing Mailbox DBs only after offline ESEUTIL integrity checks.
    • For workstations: run Microsoft Defender offline scan; if rootkits suspected, use bootable Windows PE with ESET Offline Cleaner.
  5. Deploy prevention stack
    Push CrowdStrike Falcon Sensor, SentinelOne, or Microsoft Defender for Endpoint with EDR block rule ProtectVolumeShadowCopies.

3. File Decryption & Recovery

a. Decryption feasibility as of 26 Jun 2024
🟢 YES – partial to full recovery possible without paying ransom thanks to a seized master private key released 23-Jul-2023 by Europol / Czech National Police.
• Tool: AGE_decryptor_v2.1.zip (official link: https://nomoreransom.org/crypto-sheriff/age-extractor) or direct mirror files.vsb.cz/age/Builders/AGE_dec_2.1.zip

b. Using the decryptor

  1. Download to a clean machine (never on the infected one).
  2. Run with administrative rights: AGE_decryptor.exe -k age_master.key -d C:\EncryptedFolder -o C:\RestoreFolder
  3. The decryptor walks the folder tree, distinguishes between AES-256 (CBC & CTR both supported), ChaCha20-Poly flavour used by v1.2 & v1.3 variants.
  4. Verbose log saved to decrypt-date.time.log. Expect 100–120 MB/min on SSDs.

c. If key isn’t in decryptor registry
• Archive one encrypted file and its original → upload to https://nomoreransom.org/. Service tells you which CrySiS key variant applies.

d. Fallback: Shadow Copies & Anti-ransomware backup
• As age deletes VSS snapshots via vssadmin delete shadows /all but only after 15 minutes idle, some organisations recovered via real-time Veeam repo with immutability flag set. Boot into WinRE → vssadmin list shadows.

4. Other Critical Information

Distinguishers
– Uses open-source GoLang packer “Garble”; ELF samples for Linux also signed—first cross-OS crypto-binary among the CrySiS fork lineage.
– Adds Registry key HKLM\SOFTWARE\WOW6432Node\Crysis\<UUID> with botnet ID; that same UUID is POST-ed in HTTP beacon /uuid_upload.
– Ransom note dropped as How_to_back_files.HTA and How_to_back_files.txt in every folder (note always English-only).

Wider impact
– 2023 Czech financial co-operative hit | 3.8 TB lost, recovered via decryptor at near-zero data loss.
– Dual encryption: simultaneous .age for Windows and .lockage for Linux backups has been observed – verify both filesystem types during incident response.

Community Repositories
– IOC feed (daily): GitHub vsb-crysis/ioc/age-2024.csv – 558 IoCs including 134 C2 endpoints.
– YARA rule age_go_elf_win.yar – detects Linux ELF form with entropy histogram check.

Quick Reference Cheat-Sheet

Patch | Decrypt | Backup offline
*.age*.aging – similar, different keyset
Typical mutex: {240b2a9c-49a8-11ed-bd8d-000c29d9c0} – good EDR kill-switch

Stay safe, and remember: the decryptor works as long as the files haven’t been wiped. If you see .age act immediately and avoid unnecessary reboots to preserve shadow-volume remnants.