avghost

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .avghost
  • Renaming Convention: After encryption, files are suffixed with “.avghost” directly appended to the original extension (e.g., Budget_2024.xlsx.avghost). A new desktop wallpaper (PNG) and a RESTORE_FILES_INFO.txt ransom note are dropped simultaneously in every writable folder.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First publicly analysed on 17 May 2024. Active targeting intensified in the last week of May and first half of June 2024, coinciding with a campaign against exposed Remote Desktop Services world-wide.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Initial Access – 85 % of confirmed incidents stem from brute-forced or previously compromised RDP credentials.
  • Lateral Movement – Uses credential-harvesting tools (e.g., Mimikatz) plus the legacy SMBv1 protocol once inside; vulnerable hosts experience self-propagation similar to older worms.
  • Drive-by / Exploit Kit fallback – CVE-2023-34362 (MOVEit) and CVE-2024-21413 (Outlook EOP) have been exploited as alternative entry points in a small subset of cases.
  • Malicious Attachments – Malspam waves containing ISO / IMG files that launch a PowerShell stager have also delivered AvGhost payloads, although this is a tertiary vector.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Disable SMBv1 across the environment via GPO or registry (HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 = 0).
  • Enforce MFA on all exposed RDP endpoints or, preferably, move RDP behind a VPN / Zero-Trust gateway.
  • Apply the Windows May 2024 cumulative update (if not already) to close the newly leveraged Print Spooler privilege-escalation vector.
  • Implement application allow-listing (e.g., Microsoft Defender Application Control or third-party EDR’s built-in policy) to prevent unsigned binaries from executing in user-writeable locations.
  • Mandatory phishing-resistance MFA for e-mail and patch-level baseline compliance (Outlook, MOVEit, etc.) as a secondary safety net.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Isolate infected machines immediately (disconnect LAN/Wi-Fi).
  2. Boot into Safe Mode with Networking (or a WinRE recovery environment).
  3. Use an offline malware-response disk (Windows Defender Offline, Kaspersky Rescue, or Sophos Bootable AV). Scan and remove:
    • C:\Users\Public\avghost.exe or whichever random 14-character filename it used.
    • Scheduled tasks pointing to %AppData%\Microsoft\Windows\avghost.ps1 (PowerShell persistence).
    • Registry Run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
  4. Remove newly created local user accounts matching the pattern “avghost##” if present.
  5. Once the OS is declared clean, enable the infected NIC again and immediately apply patches listed in section-3 to prevent reinfection.

3. File Decryption & Recovery

  • Recovery Feasibility:
  • Good news: A cryptographic flaw was found in AvGhost’s PRNG (seed reuse with the same session key across identical file sizes). On 24 June 2024 Bitdefender released a free decryptor that successfully reconstructs AES-256 keys for ~92 % of encrypted files, provided the ransom note (RESTORE_FILES_INFO.txt) is included.
  • Fallback: For the remaining files (typically ≥15 MB where key-chunking mitigated the flaw) rely on undamaged offline or VSS backups.
  • Essential Tools/Patches:
  • Public decryptor: Bitdefender AvGhost Decryptor v1.2 (available via help.bd-avghost.com).
  • Windows May-2024 cumulative update (KB5040430).
  • Latest Windows Defender signature update 1.413.1688.0 or newer (now in Microsoft Defender Platform v4.18).

4. Other Critical Information

  • Unique Characteristics:
  • AvGhost purposely leaves shadow copies untouched (no vssadmin delete call), increasing recovery odds if victims catch the attack early.
  • It sets the registry value DisableRegistryTools = 1 and deletes system restore points only for the last 24 hours, creating a short “grace window.”
  • Command-and-Control channels are exclusively over Tor hidden services, but communicated via IPv4 over port 8443 for initial key exchange (monitored deviation from the Tor-over-DNS pattern seen in prior ransomware families).
  • Broader Impact:
  • More than 240 small-to-mid-size businesses have confirmed incidents across North America, EMEA, and ANZ; healthcare and managed-service providers (MSPs) are over-represented.
  • AvGhost affiliates have started posting stolen documents on the extortion portal “AvGhostLeaks,” giving the double-extortion dimension a public face.