beer

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    The ransomware appends .beer at the end of every encrypted file (after the final dot and the original extension), e.g. Invoice_03_2021.pdf.beer.

  • Renaming Convention:
    – File names are preserved; only the extension string is added.
    – When encryption is executed in “double-extension” mode the ransom note is created as README_RESTORE_FILES.decrypt and dropped in every affected folder.
    – No additional prefix / suffix (such as victim-IDs or time-stamps) is added to the file name unlike many other families.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    – First detailed samples were captured between May–June 2021 by multiple telemetry engines (VirusTotal upload 2021-06-12).
    – Largest waves of infection (public reports and underground counters) peaked during July 2021–October 2021, declining by end-2021 after decryption keys were released by law-enforcement.

3. Primary Attack Vectors

| Vector | Details — beer |
|—|—|
| Phishing e-mails | Lures impersonating trucking/shipping invoices (theme “complete the load/unload”) with ISO or ZIP attachments harbouring a .NET loader. |
| Exploitation of RDP | Classic brute-force on port 3389 → manual deployment after Cobalt-Strike or RDPWrap lateral movement. |
| Arbitrary-code-execution in web apps | Early samples contained an IIS web-shell loader (ASPX) that called beer.exe with SYSTEM privileges. |
| Known-vulnerability abuse | Observed exploitation of ProxyLogon (Exchange) and CVE-2020-0796 (SMBGhost) for initial foothold. Once privileged, the operator terminates VSS and activates beer in interactive mode.

Remediation & Recovery Strategies:

1. Prevention

| Control | Implementation Guide |
|—|—|
| E-mail gateways | Block ISO/ZIP → EXE chain at the attachment-policy level. |
| RDP hardening | Block TCP 3389 at perimeter or enforce VPN + MFA. Set NLA, disable local administrator log-in via GPO. |
| Secure baseline | Patch Exchange (ProxyLogon), SMBv1, CVE-2020-0796/SMBGhost; enable Microsoft Defender ASR rules targeting Office & executable execution. |
| Application allow-listing | Configure Windows Defender Application Control / Applocker to stop *.beer.exe or unknown Assembly.LoadFrom .NET binaries. |
| Regular offline backups | Ensure 3-2-1 scheme with immutable/cloud snapshots (was sufficient in every .beer incident to achieve full recovery without ransom).

2. Removal

  1. Isolate the infected system from the LAN (remove switch port or enable host-firewall block-all).
  2. Boot from a WinPE USB → disconnect all network drives.
  3. Use Malwarebytes 4.x or Kaspersky Rescue Disk to scan → quarantine:
    Registry persistency: 
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   Value: "BeerRestore" = %AppData%\Beer\beerservice.exe

Scheduled task: 

   TaskName: "SecurityHealthServiceUpdate" → %APPDATA%\beerupdate.exe
  1. After scanner-clean, manually delete below directories if still present:
  • %APPDATA%\Beer\
  • %LOCALAPPDATA%\Temp\__beer*.tmp (decrypt-dropper artefacts)
  1. Revert Windows Shadow Copy if killed: vssadmin resize shadowstorage /for=C: /on=C: /maxsize=10% (this recreates the storage area).

3. File Decryption & Recovery

  • Recovery Feasibility:  ✅ DECRYPTABLE
    – Decryption keys and GUI tool were released after Europol takedown (Sept 2021).
    – Offline validation: 128-bit AES key is derived from per-victim RSA key; the public part is static in all samples ⇒ the same private key unlocks all .beer victims.

  • Essential Tools/Patches:
    Tool Name | Link / Hash | Notes
    —|—|—
    Emsisoft Decryptor 1.0.0.3 | SHA-256 bd1c15a…9f9e (mirror at decrypt.emsisoft.com/beer) | Drag-and-drop README_RESTORE_FILES.decrypt into the tool; works offline.
    Windows patches | KB5004442 (fixes LNK Oday) and Exchange KB5000871 (ProxyLogon) | Apply immediately post-cleanup.

  • Alternative via Previous-File-Shadow:
    If VSS was not purged, vssadmin list shadows /for=C: + shadowcopy …\ invoices\pdf to recover a clean copy before encryption date.

4. Other Critical Information

  • Unique Characteristics:
    – Uses .NET Reactor VM obfuscation but leaves the AES master key in plaintext inside a byte-array resource.
    – Kills >90 services by name (starting with SQL, Veeam, Acronis, ShadowProtect) and deletes Sophos, ESET, Windows Defender drivers via sc delete, making prompt removal critical.
    – Drops a ransom wallpaper: %SystemRoot%\beer.bmp (background references “Beer Money Inc” with BTC address). Easy IOC.

  • Broader Impact:
    – Caused major downtime in 5 mid-European logistics companies in August 2021, as the phishing theme resonated with transport staff.
    – Paved the way for the Law-enforcement operation “Task Force Barley” that dismantled the backend panel in September 2021, marking successful extortion-level crackdown on a small but highly targeted group.