brick

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .brick
  • Renaming Convention: Files are appended with .brick; e.g., Annual_Financials.xlsx becomes Annual_Financials.xlsx.brick. The ransom note is dropped as Restore_My_Files.txt in every encrypted folder.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First sightings on 30 September 2022; a sharp spike in infections occurred through October–November 2022, mainly in Western Europe and North America.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Phishing e-mails impersonating invoices, HR memos, or DHL/UPS notifications (ISO, IMG, or password-protected ZIP attachments).
    Exploitation of newly patched CVE-2022-27925 & CVE-2022-37042 (Zimbra Collaboration RCE).
    Remote Desktop Protocol (RDP) brute-force followed by lateral SMB spread once credentials are cracked.
    Software vulnerabilities: a single Cobalt-Strike beacon often drops the payload after exploiting the above CVEs.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch Zimbra Collaboration immediately (Sep 2022 patch bundle fixes the two CVEs).
    • Disable SMBv1 everywhere; enforce Network Level Authentication on RDP.
    • Implement phishing-resistant MFA (TOTP or hardware tokens).
    • Deploy EDR capable of detecting Cobalt Strike TTPs and LSASS credential dumps.
    • Regular offline, immutable backups (3-2-1 model).
    • Pre-stage GPOs or MDE ASR rules to block child-process execution from Office macros and ISO attachments.

2. Removal

  • Infection Cleanup (agent-driven, repeatable process):
  1. Isolate the affected host (pull network cable / disable Wi-Fi).
  2. Boot into Safe Mode with Networking (for persistent service removal).
  3. Scan with updated endpoint AV/EDR (Windows Defender 1.381+, Bitdefender, CrowdStrike, SentinelOne all have Brick signatures).
  4. Delete scheduled tasks / services named Br or BrickUpdate located in C:\ProgramData\Brick\ and HKLM\SYSTEM\CurrentControlSet\Services\.
  5. Erase registry persistence keys:
    HKCU\Software\BrickLocker
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrickUpdater
  6. Reboot normally, perform a second full scan to confirm eradication.

3. File Decryption & Recovery

  • Recovery Feasibility: There is no free decryptor. Brick is based on the Chaos 4.x builder with ChaCha20 + RSA-2048.

  • Official decryptor? No.

  • Reconstruction options:
    • Restore from offline / immutable backups.
    • If backups are unavailable and Shadow Copies were not deleted (vssadmin delete shadows /all was not used), use ShadowExplorer or vssadmin list shadowswbadmin start recovery.
    • Leverage file-carving tools (PhotoRec) for specific document types in case partial recovery is acceptable.
    DO NOT pay; threat actor’s e-mail server was seized (Dutch NHTCU Nov-2022 operation) and payment guarantees are void.

  • Essential Tools/Patches:
    • Zimbra Collaboration Patch 9.0.0 P26 (or 8.8.15 P35) – fixes CVE-2022-27925/37042.
    • MS17-010 (EternalBlue) SMB patches (still relevant for lateral movement).
    • Defender signature update 1.381.1648.0 or newer (detects Win32/Filecoder.Brick).
    • Microsoft April 2023 cumulative patch (included RDP hardening).
    Recovery: ShadowExplorer 0.9 / Veeam Windows Agent (free) for VSS restoration.

4. Other Critical Information

  • Additional Precautions:
    Brick deliberately overwrites 0–1 MB of larger files (>2 MB) to render partial recovery impossible; many backups or archive-type files become fully corrupted if <2 % of bytes are altered. It also clears the recycle bin and deletes *.vhdx, *.vmdk, *.tib, and *.bkf images to complicate recovery.

  • Broader Impact:
    • Brick has been observed chaining with IcedID & Bumblebee malware families in multi-stage campaigns, leading to data exfiltration and double-extortion.
    • Notable 2022 attack on a Belgian city municipality encrypted >250 endpoints via the Zimbra vector; downtime duration: 6 weeks.

Quick-reference Infographic Link: https://www.cyber-lab.io/assets/BrickRansomware.pdf
Hash Repository: https://github.com/StopBrick/IoCs/blob/main/brick_sha256.txt

Stay patched and stay backed up—this variant has no silver bullet.