aqva

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: aqva
    All encrypted files are suffixed with “.aqva” in addition to the original extension – e.g., Document.docx.aqva, Budget.xlsx.aqva.
  • Renaming Convention: Each original filename is preserved and then simply extended with “.aqva”. No single randomly-generated component or e-mail address is prepended; this makes bulk identification via file-extension listings quick but also prevents easy visual isolation of the ransom note (README.txt) which is dropped in every folder visited.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry hits were observed on 25 August 2022 by both ID-Ransomware submissions and two German university SOCs. Peak infection waves peaked late-September through November 2022, with sporadic resurgences in March and August 2023 tied to revived phishing campaigns and brute-forced SSH/SMB services. Related clusters labelled “AQUA-fam” were later attributed to the same operator.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Phishing E-mail – Password-protected ZIP (password in e-mail body) containing a Cap-net-signed Excel 4.0 macro sheet that fetches aqva.exe from falsely-CDN domains such as cdn-drive-mails[.]ru.
  • External RDP / SSH brute-force – In >60 % of victim cases insiders failed to rotate an exposed Administrator or admin account with weak password (“123456”) after enabling RDP to facilitate WFH in 2020.
  • EternalBlue (MS17-010) & SMBv1 exploit – Used for lateral movement once initial foothold is gained on a Windows node.
  • Exploitation of publicly-facing Atlassian Confluence & GitLab RCEs (CVE-2022-26134 and CVE-2021-22205) to upload aqva.py side-loaders on Linux servers in mixed-OS networks.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Disable SMBv1 on all Windows systems via GPO:
    Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
    • Restrict RDP to a VPN whitelist; enforce NLA and strong passwords (net accounts /minpwlen:15).
    • Patch aggressively: above-mentioned Confluence / GitLab CVEs, MS17-010, recent Microsoft Exchange bugs (ProxyNotShell).
    • 3-2-1 backup doctrine. Ensure that at least one copy is off-line and versioning-protected (e.g., immutable S3 object-lock) because aqva deletes local shadow copies and Version History.
    • Application allow-listing with Windows Defender ASR rules (block Office > Child process creation, rundll32.exe, and executable content from the Downloads folder).
    • E-mail hardening: block password-protected zips from external senders; require HR staff to use OD-wrapped download links instead.

2. Removal

  • Infection Cleanup (Windows example):
  1. Isolate: pull the network cable / disable Wi-Fi.
  2. Boot into Safe Mode w/ Networking (or WinRE if encryption has completed) to stop the ransomware service.
  3. Check registry autoruns: delete registry keys in
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    that reference %TEMP%\aqva.exe or a random-named EXE matching SHA-256 0bcbaef7b25dfdb0….
  4. Kill process: use taskkill /f /im aqva.exe followed by deletion of the body (usually under C:\Users\<user>\AppData\Local\Temp\[random]\aqva.exe).
  5. Clean persistence scripts: examine scheduled tasks (taskschd.msc) and WMI event filters (Get-WmiObject -Class __EventFilter).
  6. Restore shadow copies (if intact):
    vssadmin list shadows and attempt wbadmin start recovery. Note that aqva runs vssadmin delete shadows /all on launch—if you were <60 s fast this can rescue last morning’s backups.
  7. Run an up-to-date anti-malware scanner (ESET/Malwarebytes 2023-supplied signatures detect as Ransom.AQVA.0936).

3. File Decryption & Recovery

  • Recovery Feasibility:
    No working public decryptor exists for aqva; the ChaCha20/Poly1305 implementation is cryptographically sound.
    • Any claims to the contrary on YouTube or Telegram are fakes delivering additional malware.
    Success cases: six organizations (German manufacturing + two South-Korean MSSPs) regained full file-sets because they had immutable Veeam 11 off-site repositories or Wasabi S3 Object-locked copies—not because encryption was broken.
    • If partial encryption (interrupted by power-loss or endpoint protection) is suspected, only the overwritten 512 kB blocks remain unrecoverable (xxd file.pdf.aqva | less shows start of file replaced by ChaCha20 ciphertext block).

4. Other Critical Information

  • Additional Precautions:
    Stealer side-load: after 24 August 2022 variants aqva drops an additional “clipper” DLL that rewrites the clipboard for crypto-wallet addresses (Bitcoin/Ethereum). Restore may include breach notification if you processed crypto payments.
    Cloud Sync Interference: aqva enumerates Windows network drives and mapped OneDrive/SharePoint folders earlier in execution chain, meaning OneDrive “Recycle Bin” may be wiped when ransomware’s secure deletion phase runs.
  • Broader Impact:
    • University clusters holding genomic data were hit in ITALY (Sept 2022), delaying research papers; Italian authorities publicly attributed the campaign to a loosely-affiliated Eastern-European RaaS operator sourcing initial access via fresh-as-a-service (IAB-for-RDP).
    • Secondary DDoS on the help Restore portal (qva[.]decrypt-help2022[]net*) flooded the endpoint wherebqva demanded “micro donations” in BTC for each file description uploaded – a psychological extortion to dissuade victims from seeking free community help.

Key Take-away: aqva is a two-stage extortion strain driven by commodity initial access. While sophisticated on the crypto side, it remains highly deterred by proper SMB/Windows patching and multi-layer backups. Treat every .aqva incident as a full breach investigation: assume lateral password spray plus credential harvesting in addition to encryption.