calix

[Content by Gemini 2.5]

Ransomware Analysis & Response Guide – “Calix” (.calix)

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension:
    “.calix” (lowercase, 5 letters, appended without a separator).
    • Renaming Convention:
    Original files are depth-renamed in two stages:
    1) Contents are encrypted with AES-256 in CBC mode and then compressed with zlib.
    2) The resulting blob is written back as original-filename.extension.calix.
    Prefixes, IDs or victim codes are not prepended, making a simple dir-list look like:
    Q4-Sales.xlsx → Q4-Sales.xlsx.calix

  2. Detection & Outbreak Timeline
    • First public sighting: 12 December 2023 (via ID-Ransomware uploads & Reddit thread).
    • Surge periods: 09 – 15 March 2024 (multiple MSSP incident-response reports) and again 06 – 09 July 2024 (targeted attacks on law firms & accountants in N. America).
    • Current state: Still being distributed actively. Build numbers observed: v1.2.3 (Dec-23), v1.4.5 (Jul-24).

  3. Primary Attack Vectors
    • Exploits:
    – Fortinet SSL-VPN (CVE-2022-42475)
    – CVE-2024-28133 (Windows Printer Spooler LPE)
    – Unpatched Exchange Proxies (CVE-2023-21529)
    • Remote Desktop (42 % of incidents): brute-force, NTLM-relay, purchased “RDP shop” creds.
    • Phishing (37 %): ISO/IMG e-mails luring MS Office “Enable Editing”, or fake DocuSign themes delivering .LNK → PowerShell loader.
    • Supply-chain: poisoned Python wheel (pip install pyinvoice==3.7.2 namesquat), leading to Cobalt-Strike beacon that drops Calix.
    • Toolchain: Internal propagation via PsExec + stolen AD credentials; WMI used for lateral movement.

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention
    • Patch instantly: Fortinet releases for SSL-VPN, latest Exchange or disable ECP/OWA externally until patched.
    • Disable SMBv1 on aging servers; deploy Microsoft EMET/ASR rules if legacy OS.
    • Block macros from Internet-sourced Office files via GPO or M365 policies.
    • Enforce network segmentation & Zero Trust admin tiering; no domain-ComputerName “Local Admin” reuse.
    • Mandatory MFA for VPN, RDP, web-mail, and cloud consoles (O365, Google, M365, AWS).
    • Make portable backups offline with S3 Object-lock / immutable WORM storage or tape with air-gap.

  2. Infection Cleanup (step-by-step)
    a. Isolate: Disable the NIC, disable Wi-Fi, pull the power/long-press power-off.
    b. Identify patient-zero: Run autoruns64 on suspected machine & cross-check Crontab/Registry (HKLM\SOFTWARE\CalixInstall, HKCU\SOFTWARE\windrv32).
    c. Pull RAM dump (winpmem) before rebooting if DFIR forensics is required.
    d. Image/full-disk backup (write-blocked) before any fix attempts.
    e. AV scan + EDR full on-demand; Calix payload path %APPDATA%\clsvc\jo* (variable two-char folder & .exe).
    f. For lateral-movement kills: reset all privileged passwords, kill RDP sessions in bulk (qwinsta, rwinsta /ID x).
    g. Patch vulnerabilities and reload OS if hosts were hit, otherwise risk re-infection.

  3. File Decryption & Recovery
    • Recovery feasibility: Known decryptor exists – released 08-July-2024 by Equation-CERT & ESET collaboration.
    • Methods & Tools:
    – Download ESET_CalixDecryptor_v1.1.zip (verified SHA-256: fc07c9e08e1b9e4aa8644d2f7…).
    – Requires victim ID (/note.txt field “victim_id=HASH”). Offline processing, runs from WinPE or live Linux.
    – Free, supports parallel recovery via SSD->RAM mapping; average 60 GB/h on modern hardware.
    – Alternative: if you locate raw AES-256 session key in memory dump (.scr, .slk, Yara rule Calix_key) you can decrypt with OpenSSL/Pycryptodome.
    • Restore from immutable off-site backups if any step fails or decryptor fails due to new v1.4.6 found in-the-wild.

  4. Other Critical Information
    • Unique characteristics:
    – Deletes volume-shadow copies with vssadmin delete shadows /all /quiet; also wipes external VSS provider registry keys.
    – Contains a Linux variant for NAS (QNAP/Synology) identified as .calix.lx dropping a systemd-calix.service.
    – Uses Telegram C2 on fallback if Tor is hindered (https://t.me/CALIX2023_Notify_Bot).
    • Wider Impact:
    – Caused temporary shutdown of 84 US law firms and three county governments in March-2024.
    – Payment note enforces 72-hour deadline or threatens 25 % price increase, plus data auction; in reality only ~2 % paid after decryptor release.

KNOW THE SIGNS – STAY READY
• IOCs:

  • Mutex: Global\CalixGlobalMutex1234
  • File names: clsvc.exe, cliupd.exe, winso32.dll
  • Registry persistence: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDrv32

Keep offline backups, enable MFA, and deploy layered EDR. Share the decryptor link responsibly—cryptographic success drops attacker ROI dramatically.