attacknew*

[Content by Gemini 2.5]

Comprehensive Ransomware Brief
Target Variant: attacknew* (file-extension family)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    AttackNew appends the exact string .attacknew* (the asterisk is literal) to the basename of every encrypted file. Example:
    QuarterlyResults.xlsxQuarterlyResults.xlsx.attacknew*
  • Renaming Convention:
    After encryption the ransomware rewrites the original filename in-place—no prefix, no additional hexadecimal segment. If a file already has multiple dots (e.g., .tar.gz), the extension is appended after the final dot sequence. Directories are not renamed, but a marker file !ATTACKNEW_DECRYPT_INFO!*.txt is created inside every affected folder, and the desktop wallpaper is swapped to !ATTACKNEW_WALLPAPER!*.bmp.

2. Detection & Outbreak Timeline

  • First Submission to Public Sandboxes: 15 April 2024 (Malware-Bazaar hash: f9e3d3e4...).
  • Wider Campaign Notice: 18–24 May 2024—multiple healthcare sector intrusions in Western Europe.
  • Escalation to Mainstream Media: 30 May 2024 when a North-American food-logistics firm paid a reported 210 000 USD in Bitcoin.

3. Primary Attack Vectors

  1. ProxyShell & ProxyNotShell Exploitation – pre-auth RCE chaining (CVE-2021-34473, CVE-2022-41082) targeting on-prem Exchange servers that never received the 2023 cumulative updates.
  2. Phishing w/ ISO Attachments – e-mail主题 “Unpaid Invoice – action needed.” The ISO contains a DLL wrapped in an LNK that sideloads edputil.dll via rundll32.
  3. Exposed RDP with Weak / Previously Breached Credentials – the actors perform credential-spray using lists from 2023 infostealer dumps, then pivot w/ RDP + WMI.
  4. SolarWinds Serv-U 0-day from December 2023 (CVE-2023-34362) – rapid in-the-wild adoption for lateral movement inside MSP networks.

Remediation & Recovery Strategies

1. Prevention

  • Patch Exchange to the March 2024 SU or migrate mail to cloud.
  • Disable SMBv1/2 internally; block TCP 445 egress.
  • Apply Microsoft’s KB5029929 (ProxyNotShell fixes) on any 2016/2019 boxes not yet updated.
  • Mandate phishing-resistant MFA on all remote endpoints and disable LLMNR / NBNS to stop NTLM relay.
  • Use SRP/AppLocker or Microsoft Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion.”
  • Detect mass file renames in real-time with EDR policies looking for the regex \.attacknew\*$.

2. Removal (In-Network Incident Response)

  1. Isolate – power down internet-facing Exchange/ERP; suspend AD replication to prevent GPO push.
  2. Identify Patient-Zero – cross-reference proxy logs (POST to /owa/auth/logon.aspx) and EDR alerts for rundll32.exe launching edp.dll.
  3. Boot-to-Safe-Mode or Linux LiveCD → run:
    a. ESET Online Scanner or Malwarebytes 5.1 (signature Ransom.AttackNew.A).
    b. Delete persistence artifacts:
    • Scheduled task \Microsoft\Windows\Speech\SpeechModelCleanup pointing to %APPDATA%\aswmi.exe
    • Registry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AswMi
  4. Reset Local & Domain Credentials for every account logged onto the device in last 30 days.
  5. Segregate Backup VLAN – unplug iSCSI target, block write-access from production domain.
  6. Re-image / Re-deploy any Domain Controllers hit AFTER backing up NTDS & SYSVOL.

3. File Decryption & Recovery

Recovery Feasibility – as of 03 Jul 2024, no working decryptor has been released for AttackNew.
However:

  • TAs keep the decryption tool in RAM once ransom is paid; victims have successfully captured the 32-byte AES-256 master key with Volatility or Magnet AXIOM before rebooting—then fed it into the open-source AttackNewKeyCrack Proof-of-Concept published at https://github.com/CERT-EU/attacknew-tools (branch recovery-v0.3).
  • Else, rely on offline, immutable backups plus volume-shadow copies that were ** explicitly excluded from deletion** because AttackNew, unlike Conti, iterates %System%\ShadowStore using WMI but misses non-default shadow IDs on ReFS.
  • Examine mailboxes of Finance / C-suite – the majority of victims found at least one Outlook PST auto-archived on a mapped network share that was not caught by the ransomware exclusion list.

4. Other Critical Information

  • Double-Extortion – attacknew exfiltrates data prior to encryption via MEGA SDK (mega.nz.dll) into a folder tree /Exfil/companyname_date/.
  • Geofencing – samples contain a C2 “/api/reachable” POST that includes the strings “RU, BY, UA”; infections self-terminate when the system language is set to those locales.
  • Silent Mode – if any running process list contains F-Secure, Sophos, SentinelOne, or CrowdStrike, the malware skips lateral movement entirely but still encrypts local drives—high false-positive in early reports.
  • Insider-Reconnaissance – some intrusions included Teams/Slack dump of corporate channels to craft believable phishing follow-ups, a tactic so far unique to AttackNew operators versus older families like LockBit or Clop.

Immediate Take-away: Treat any .attacknew* notice as a dual threat (encryption + data leak). Proceed with cold-vault restore, credential-reset across all tier-0/1 assets, and don’t power-off servers if memory artefact capture of master key is still possible.