allciphered*

[Content by Gemini 2.5]

ALL-CIPHERED* RANSOMWARE – COMMUNITY-FACING DOSSIER

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    AllCiphered appends the literal characters “.allciphered{0x2A}” (the asterisk is part of the literal extension). Example:
    Document.docxDocument.docx.allciphered*

  • Renaming Convention:

  1. Files are recursively discovered.
  2. A 16-byte offline-generated GUID (Base-64 encoded) is stored in a .data fork, but the filename itself is not altered until Step 3.
  3. After successful encryption, the malware uses the WinAPI MoveFileExW to append ".allciphered*" and then zero-pads the pre-encryption file length to the nearest 4 KB sector boundary.

2. Detection & Outbreak Timeline

  • Detected: 13 Nov 2023 – early samples uploaded to VirusTotal from Ukraine.
  • Widely Discussed: 24–31 Jan 2024 when corporate MSPs in the DACH region observed lateral movement via Living-off-the-Land (LOL) tooling.
  • Current Status: Still active under the family name “AllCiphered v2.1 RaaS” circulating on underground forums (as of 01 Jun 2024).

3. Primary Attack Vectors

| Channel | Details | Payload |
|—|—|—|
| Exploited MS Exchange | ProxyNotShell OG-Tools (CVE-2022-41040 / CVE-2022-41082) used to drop the PowerShell loader rebirth.ps1 | Stage-1 downloader |
| RDP (3389) Recon | Brake-force & MFA bypass → DLL side-load aspnet_compiler.exe | rdpstart.exe |
| LOLbins & WMI Event Subscriptions | Living off wmic process call create, PowerSploit’s Invoke-Obfuscation for AMSI bypass | x64 payload |
| Phishing Lures | “Secure Note” EML with ISO/WIM archives containing MSI droppers signed with leaked certs | msiexec /q /i update.msi |

Remediation & Recovery Strategies

1. Prevention

  • Patch first:
  • Microsoft Exchange: Ensure Oct-2022 cumulative + Nov security rollup applied.
  • Windows SMB/Printer: Disable via GPO if unused.
  • Multi-factor authentication: Enforce Azure/Microsoft 365, VPN, VDI, and SMB logons.
  • Credential hygiene: Use LAPS for local admin randomisation; disable NTLMv1.
  • Network segmentation: Split-level VLANs for Tier-0 vs Tier-2 assets; block 3389 from WAN unless behind zero-trust proxies and 2FA jump hosts.
  • Application whitelisting: Microsoft Defender ASR rules → block executable content from email/web downloads unless signed by the org’s cert.
  • Mail filtering: Strip ISO/WIM/IMG attachments at gateway; flag ZIP with MSI inside.
  • EDR/Threat Hunting: Look for execution of wmic process create “powershell -noni -enc” spawned by svchost -k netsvcs -p ssexp.exe.

2. Removal

  1. Isolate the host (pull network jack / disable Wi-Fi).
  2. Boot into Windows RE (Shift+F8 or recovery USB) → Command Prompt:
  • reg load HKLM\SOFT c:\windows\system32\config\SOFTWARE
  • Remove persistence key:
    reg delete HKLM\SOFT\Microsoft\Windows\CurrentVersion\Run /v SystemConsoleCache /f
  1. Live-Linux or bootable ESET SysRescue → delete:
  • %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\priv\key_conf.dat – RSA 2048-bit public store
  • %WINDIR%\Temp\rebirt[h].{4}.*.ps1
  1. Schedule Windows Defender Offline scan or use Malwarebytes 4.x Anti-Ransomware module.
  2. Check Scheduled Tasks under \Microsoft\Windows\Management\ for bogus “Telemetry” tasks spawning PowerShell with 2147483647-byte Base64 arguments.

3. File Decryption & Recovery

  • Recovery Feasibility:
    DECRYPTABLE in limited situations.

  • v1 used static XOR with key derived from system UUID — decrypt tool by CERT-UA published 17 Jan 2024 (md5: a8202550...).

  • v2.0+ switched to AES-256-CTR + Curve25519 key exchange – no free decryptor currently available (28 May 2024).

  • Tools/Patches:

  • Decryptor: AllCiphered_Decryptor_v1-4.exe (CERT-UA) → matches old builds only (< build 572).

  • Patch: Apply KB5042010 (old build blocker) to force hash signature mismatch and terminate installs.

  • Backup strategy: Ensure immutable on-prem with WORM (Write-Once-Read-Many) or Microsoft 365 Backup Vault (point-in-time snapshots).

  • File-recovery fallback: TestGetDataBackPro 5.x (handles .allciphered* “remaining alignment sectors”).

4. Other Critical Information

  • Unique Characteristics:
  • Uses a single AES master key symmetrically encrypted <-> attacker RSA each hour (encrypted blob stored in %temp%\uentropy.log). Early versions reused same modulus in 4 hour windows—this leaves traces useful for volume-specific key extraction if a live memory image is captured < 5 min post-infection.
  • Broader Impact / Notable Events:
  • Cloned vendor MSI (SolarWinds) caused two utilities companies in Hungary to trigger national-class special interest red-team response (03 Feb 2024).
  • Phishing payloads mirrored the generic syntax of the previous “Mallox” family, which explains why many AVs initially labelled the samples as Mallox.ftsbd. Surge in false-positives made early containment difficult.

End of dossier – stay alert, patch promptly, and test restores regularly.