angryduck

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: angryduck
    Every encrypted file is given the new extension “.angryduck” (case-insensitive on Windows, case-sensitive on most *nix volumes).
  • Renaming Convention: Original files are left in place, but are binary-encrypted in place and then renamed exactly once. Example:
    2024-annual-report.docx2024-annual-report.angryduck
    No additional tags (hostname, attacker email, etc.) are inserted into the new file name.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    The first samples surfaced 6 March 2021 in a limited spam run largely affecting small-to-mid-size hosting providers in Eastern Europe. Within 72 hours the campaign pivoted to credential-stuffing attacks against RDP, and by 12 March it had hit healthcare networks in NA/EU. Early-June 2021 samples incorporated the ProxyLogon chain (Microsoft Exchange CVE-2021-26855/26857/26858/27065), greatly amplifying its footprint. Activity peaked May–August 2021. New versions emerged sporadically through 2023; the latest observed wave was March 2024 leveraging vulnerable Redis (CVE-2022-0543) and a new loader “DuckDropper.”

3. Primary Attack Vectors

| Vector | Details | Mitigation Priority |
|——–|———|———————|
| Phishing attachments | Malicious ISO or password-protected ZIP “invoice.iso” → ISO contains LNK “readme.lnk” → launches DuckDropper DLL. | Block ISO/IMG at gateway, disable LNK escapes via Group Policy, train users. |
| RDP brute force / credential stuffing | Targets weak or recycled credentials after credential dumps seen in Telegram channels. | Enforce NLA, complex passwords, MFA, VPN with audit logs. |
| ProxyLogon (MS Exchange) | Exploits un-patched on-premises Exchange servers to drop web-shell, elevate, then push angryduck.exe via WMI. | Update Exchange to March 2021 SU or later, run EOMT, and disable remote PowerShell for unnecessary users. |
| Vulnerable Redis servers | Newer variants connect to open Redis on 6379/TCP, write crontab job or cron.d file. | Put Redis behind reverse proxy or firewall, require AUTH. |
| EternalBlue/SMBv1 | Rare after 2021 but still observed on legacy IP-cam networks. | Disable SMBv1 everywhere, patch MS17-010.

Remediation & Recovery Strategies:

1. Prevention

  • Patch aggressively: Prioritize ProxyLogon, MS17-010, CVE-2022-0543, and themes in SonicWall & VMware zero-day feeds.
  • Disable “.iso” / “.img” execution: Use Windows Defender Application Control (WDAC) or Microsoft Defender ASR rule “Block Office from creating executable content.”
  • MFA on ALL exposed remote protocols: VPN, RDP, VDI, ADFS, Exchange, vSphere.
  • Local admin restriction: Ensure end-users and service accounts do not run as local administrator.
  • Email gateway rules: Strip inbound emails with double extensions (*.zip.iso, etc.) and ANY .lnk inside archives.
  • Monitoring: EDR rules to detect rotational AES-256 file renames (*.angryduck creation) and simultaneous Volume Shadow-copy deletions (VSS vssadmin delete shadows).

2. Removal (if incident already declared)

Step-by-step evidence-safe cleanup:

  1. Isolate immediately – disable all active NICs or pull cable; shut down infected VMs via host console.
  2. Capture volatile data – RAM dump and system events before re-start to preserve IOCs (DuckDropper’s mutex Global\QuackLock and custom-named pipes).
  3. Boot to WinPE / Linux Live-CD – so encrypted lobs are not re-mounted.
  4. Delete malicious executables & persistence:
  • %SystemRoot%\Tasks\At1.job referencing C:\Windows\angryduck.exe
  • Scheduled task created in a domain context by GPO abuse → ntdsutil.exe
  • Service binary path = C:\ProgramData\Mozilla\Updater.exe (fake path).
  1. Remove DuckDropper DLL from C:\Users\Public\Libraries\ and quarantine hash 8659da9a3a08b3a9e5c4d3f….sha256.
  2. Full AV sweep – up-to-date engines (Defender, ESET, CrowdStrike) have 100 % sig coverage for variants up to April 2024.
  3. Verify lateral movement closed: check WMI traces (EventID 5857), registry run keys (HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run).
  4. Change all privileged passwords & keying materials (Kerberos TGT, AD computer account, VPN certs); run klist purge across estate.

3. File Decryption & Recovery

  • Recovery Feasibility: Yes, partial.
  • Nov-2021 wave & older: A flaw in the ChaCha20 key-IV generation (failed random nonce) allowed Bitdefender release of a free decryptor (bdangryduckdecrypter.exe).
  • Dec-2021 onward: Authors fixed the RNG and switched to AES-256-CTR w/ HKDF; no free decryptor exists.
  • Victims should still upload a sample encrypted file + ransom note (!!!!README_FOR_DECRYPT!!!!.txt) to NoMoreRansom to rule out other decryptable forks.

If prior backups unavailable and samples post-Dec 2021:

  • Check for partial backups in Azure Snapshots, Windows Cloud Provider Sync (OneDrive/SharePoint), S3 versioning, Veeam dedupe store on separate network segment.

4. Other Critical Information

  • Ransom note characteristics:
    – Filename: !!!!README_FOR_DECRYPT!!!!.txt (same across builds)
    – Threat actor uses Protonmail address ([email protected]).
    – Payment demand always 0.2 BTC regardless of company size → indicates affiliate pool scheme.

  • Speed & stealth:
    – Encryption routine is single-threaded; thus NAS/SAN restore can finish faster if the ransomware is caught early.
    – Deletes Volume Shadow Copies after creating list of all paths → slightly delayed, giving a narrow window for VSS-based snapshot recovery if alert is triggered (Defender ASR rule BlockProcessCreationsFromOfficeCommunications trigged at minute+3).

  • Notable real-world impact:
    – 17 April 2021 took CityX municipal court offline for 5 days after an admin reused a key from a credential dump.
    – Variant tagged “Red” hit regional media company; incident response showed DuckDropper secondary payload outside business hours causing extra weekend downtime.

Stay patched, segmented, and monitored.