antoni

[Content by Gemini 2.5]

ANTONI ransomware – Technical & Recovery Guide

(Compiling community-sourced research as of 23 May 2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact Extension: .antoni (lower-case, no preceding dot until renamed).
  • Renaming Convention: Original files keep their original base-name and original extension, then append the suffix 
  .antoni

Example
Quarterly_Report.xlsx → Quarterly_Report.xlsx.antoni
backup_server-D.db.sql.zst → backup_server-D.db.sql.zst.antoni

There is no extra ID token, e-mail, or BTC address inside the new file-name—Antoni simply tacks .antoni to the end.

2. Detection & Outbreak Timeline

  • First Public Samples: Tracked 22 April 2024 on Malware-Bazaar.
  • Sustained Campaign: Week of 25–29 April 2024 (peak submissions on VirusTotal), targeting primarily North-American & Central-European MSPs / SMBs with weak RDP posture.
  • Variant Relation: End-to-end similarity analysis shows it is a new build of the Chaos ransomware family branch (Chaos 5.0+), sometimes mis-detected by early signatures as just “Chaos” or “Yasmine”.

3. Primary Attack Vectors

| Vector | Details & Evidence |
|—|—|
| Compromised RDP | > 60 % of reported cases. Dictionary or reused-credential brute-force; often via PsExec / AnyDesk post-exploitation. |
| Phishing ZIP | Malicious ZIP nested inside fake “PDF invoice overdue” e-mails. The ZIP hides an obfuscated .NET loader (install.exe, update-kb.exe etc.) that downloads & decrypts Antoni.exe from Discord CDN or GitHub repositories. |
| Cracked Software Bundles | “Adobe Acrobat Pro 2024 + KW…” torrents on The Pirate Bay came bundled with Antoni dropper. |
| Insecure SMB shares | Shares writeable by Everyone (C$, backup$) used to plant scheduled-task XML that kicks off the payload at 02:13 AM local time—typical lateral-movement in small offices. |

Remediation & Recovery Strategies

1. Prevention

  • Kill RDP from the Internet or restrict to specific IPs with VPN-only gateways.
  • Mandatory MFA for every RDP / SaaS account that can pivot to on-prem.
  • Block or alert on outbound connections to Discord CDN (cdn.discordapp.com) & GitHub raw.githubusercontent.com from production servers.
  • Turn off SMBv1 (disable on legacy Windows via Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol).
  • Patch:
  • April 2024 Windows cumulative updates fixed an RDP bug (CVE-2024-21330) exploited during early waves.
  • Application whitelisting (WDAC/AppLocker) barring unsigned .NET assemblies appearing in %TEMP%, %APPDATA%\Microsoft\, or scheduled-task folders.

2. Removal (Step-by-Step)

  1. Immediately disconnect the host from the network (pull cable / disable Wi-Fi).
  2. Boot into Safe Mode with Networking or boot from an offline rescue USB.
  3. Identify the active dropper:
    Common names / paths observed:
    %APPDATA%\Roaming\WindowsLatency.exe and C:\ProgramData\UpdateCheck.exe
  4. Stop & delete services: 
   net stop WindowsLatencyUpdater
   sc delete WindowsLatencyUpdater
   sc delete ansible-update
  1. Remove scheduled tasks: 
   schtasks /delete /tn "WeeklySystemOptimizer" /f
  1. Manual cleanup (or Autoruns + Malwarebytes/Kaspersky Rescue):
    Registry keys: 
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateCheck
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsLatency
  1. Scan remaining disks with a reputable AV engine updated to at least 2024-05-17 defs (signature: Ransom:Win32/Antoni.A).

After successful pass, reboot normally and verify that:

  • no new .antoni files appear,
  • AV real-time shields are operational.

3. File Decryption & Recovery

  • Decryptable? ❌ NO. Antoni (Chaos 5.x) uses:
  • AES-256 (hardware-accelerated) for file contents
  • RSA-2048 master public key (private key kept offline)
    There is no known flaw or public decryptor at this time.
  • Fallback avenues:
  1. Offline backups (NAS with versioning, cloud immutable blobs, LTO).
  2. Volume Shadow Copies may persist if the attacker’s wiper (vssadmin delete shadows /all) failed. Check via:

    vssadmin list shadows
    shadowcopy /s:<target> /de:`<path>`

    Restore to previous date < infection time.
  3. Deleted-file recovery (PhotoRec, R-Studio) often ineffective—Antoni overwrites in-place.
  • Negotiation stance: No groups publicly advertise “support chat”. Small ransom note !!!RESTORE_FILES!!!.txt gives generic proton-mail address antoni-team@protonmail[.]com. Untraceable, unreliable.

4. Other Critical Information

  • Partial Encryption:
    Antoni uses the Chaos 5.x “partial mode”: by default it encrypts only the first 1 000 000 bytes of each file.
    Impact: small text config files are fully encrypted; >1 GB media files usually open partially (first 1 MB broken, rest intact). Keeps Windows bootable but collapses most business documents.
  • Kill-Switch Note (rare): On two vCenter appliances, the actor accidentally left a kill-switch file C:\antoni_off.tmp – servers inside that folder tree skipped encryption. Opinion: likely trial QA artifact—do not rely on it.
  • Collateral Damage:
  • Antoni deletes Windows Defender signatures (MpCmdRun.exe -RemoveDefinitions -All) and lower-Machine UAC prompts.
  • Encrypts mapped drives (Z:\, Y:) and any UNC path reachable by the user.
  • Self-destructs the runnable after 7 days since original infection to evade yara狩猎.
  • Emerging counter-tools (May 2024):
  • Sophos Central EDR added native Antoni behaviour rules (v2024.5.8) – excellent at blocking pre-encryption actions.
  • Snort/Suricata ruleset released 20 May 2024 (SID: 1:2024354-2024357) detects the “.antoni” creation command & kills SMB lateral hashes.

Bottom line: After clean-up ensure at least 3-2-1 backups and periodic restore tests. The absence of a working decryptor makes immutable backups the only guaranteed escape.