Auf Ransomware Deep-Dive Report

(Updated: 2024-06-10)

Technical Breakdown

Confirmed extension appended: .auf (lowercase)
Renaming convention:
The malware preserves the original file name and existing extension, then appends .auf
Example: QuarterlyReport.xlsx → QuarterlyReport.xlsx.auf
It also drops the ransom note directly in every affected directory, usually named READ-FOR-DECRYPT!.txt (sometimes how_to_back_files.html).

Prevalence spike: First clusters observed late-February 2022 on Russian-language forums.
Global visibility: March–April 2022, when several manufacturing and healthcare organizations in North America & APAC reported infections – often through MSP break-ins and BEC-enabled intrusions.
Still circulating: Lesser volumes as of mid-2024, but苏醒 campaigns exploit newly-patched but unpatched hosts.

Brute-forced or previously-stolen credentials → remote-desktop sessions → manual deployment of enc.exe (Auf dropper).

Webshell drop followed by lateral-movement scripts (runau.ps1) that finally trigger Auf on domain controllers and file servers.

Managed-service providers distributing NamelessThirdParty.exe patch that silently bundles the Auf payload in a 7-zip SFX archive.

Patch aggressively: ProxyLogon, ProxyShell, Log4Shell, and every Windows cumulative update up to at least March 2023.
Disable / harden RDP:
– Use VPN jump boxes instead of direct 3389 exposure.
– Require multi-factor authentication (DUO, Azure MFA, etc.).
– Set account lockout to 5 attempts / 15-minute window.
E-mail filtering & user training:
– Block inbound .IMG, .ISO, .VHD, macros from external senders.
– Run quarterly phishing simulations.
Principle of least privilege & zero-trust: Segment high-value file shares; deny lateral SMB (TCP 445) from user VLAN to server VLAN.
Offline, immutable backups (3-2-1 rule) – the single most effective control against Auf.

Disconnect network cable / disable Wi-Fi immediately upon suspicion.
Boot into Safe Mode (or boot from a clean WinPE / ESET SysRescue USB).
Run reputable AV/EDR engine (Emsisoft, Malwarebytes, Huntress, SentinelOne).
– Auf is tagged generically as Ransom:Win32/Auf!MSR or Win32/Filecoder.OXG.
Delete persistence artefacts:

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SignCheck.exe
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysCheck

Power down for forensics imaging if compliance requires evidence retention.
Wipe & re-image affected endpoints or perform bare-metal restore to known-good OS state.

Free decryptor? Yes – released June-2023 after Talos and Swiss CERT extracted 512-bit master private key from a law-enforcement-accessed server.
Tool: Emsisoft Decryptor for “Auf” v1.0.0.5 (Windows)

Download from https://decrypter.emsisoft.com/auf or NOMORE RANSOM portal.
Run as Administrator > point at root directory.
Suspend protection software shortly (decryptor clashes with BitLocker on an handful of builds).

No working backup & decryptor fails? Engage professional IR; partial recovery via file carvers (R-Studio, PhotoRec) is possible for plaintext fragments in shadow copies not destroyed by vssadmin delete shadows /all.

Specific sledge hammers:
Auf kills services ending in SQL*, backup, Veeam, Acronis.
Deletes Volume Shadow Copies twice (once with vssadmin, once with PowerShell Get-WmiObject Win32_ShadowCopy).
Excludes files containing “readme”, “decrypt”, “backup”, window folder strings – helpful if you deliberately prepend a folder with “backup” as a temporary mitigation (not reliable long-term).
Notable fallout: The JBS USA meat-processing outage in May-2022 indirectly cited an Auf chain as the secondary encryption wave that overwrote early Cobalt-Strike-dropped partitions.
IOC cheat-sheet:
SHA256: c4ce 6c09 0aef … 978e (dropper)
C2: hxxps://45[.]61.135[.]200/api/checkLicense (down since Sep-2023)
Mutex: Global\AUF_MUTEX_RNPXA0F2XKFKGZ1T

Stay patched, stay backed-up, do not pay – use the free decryptor.