ccps - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: The ransomware appends the suffix “.ccps” (all lower-case, no spaces or dashes) to every encrypted file.
Renaming Convention: Each file receives the appended extension directly after the original extension, e.g., report.docx becomes report.docx.ccps. No ransom-tagged prefix (such as email or victim-ID) is inserted—this minimalist change is one of its key identifiers.

Approximate Start Date/Period: Broad circulation of .ccps infections was first reported in April 2023. The spike coincided with a wider Djvu/STOP-family campaign pushing the “_ccps” nomenclature variant to victim pools via fake cracks and keygens delivered through malicious torrents.

Propagation Mechanisms:
Malicious Torrents & “Crack” Bundles: The overwhelming majority of infections start when users download and launch counterfeit software installers (e.g., Adobe cracks, game trainers) from torrent portals.
Drive-by Malvertising: Secondary distribution leverages malvertizing chains that redirect victims to exploit kits, which then drop the .ccps loader.
Previously Compromised Hosts: Once inside, the ransomware scans for accessible SMB shares and attempts lateral movement via brute-force RDP, but it does NOT exploit EternalBlue or SMBv1 vulnerabilities—its propagation relies on credential reuse or prior malware footholds.

Block pirated software and cracking tools through application whitelisting and web filtering (malware domains, specific torrent tracker IPs).
Upgrade to fully-patched Windows 10/11 and immediately move end-of-life Windows 7/8 systems offline.
Disable scripted downloaders (PowerShell, mshta, cscript, wscript) for standard users; enforce Microsoft Defender ASR rules.
Backups: Maintain offline (immutable) backups plus at least one cloud copy with object-lock to prevent destruction or encryption.

Disconnect from any network shares and the internet.
Boot into Safe Mode with Networking.
Run reputable AV/EDR engines (Windows Defender Offline, Malwarebytes, or HitmanPro) to quarantine and remove the payload.
Clean rogue scheduled tasks (schtasks /query /fo list | findstr ccps) & startup registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
Reset all local passwords and scan for secondary toolkits (RedLine, Vidar) that were often dropped alongside the ransomware to extract credentials.

Recovery Feasibility: Yes, for a subset of victims. The .ccps strain is tied to Djvu/STOP-family servers. If encryption used an offline key (because the C2 was unreachable), the Emsisoft Djvu Decryptor can perform free decryption once the corresponding key is recovered. If an online key was used, decryption is currently impossible without the private key held by the criminals.
Essential Tools/Patches:
Emsisoft Decryptor for STOP/Djvu (latest version) – run it before paying and supply the _readme.txt ransom note or a sample file pair.
Windows Security Baselines (MS Security Compliance Toolkit) – closes scripting and credential-dump holes.
KB5034441 / KB5029331 cumulative Win11/Win10 updates that reinforce ASLR & PowerShell logging.

Additional Precautions:
No network-worm capability: Unlike NotPetya or Ryuk, .ccps does not spread by code injection into system processes; its main damage is file rather than system level. Therefore, simple endpoint isolation prevents further encryption.
Data-exfiltration claims are rare: So far, no conclusive evidence that .ccps sellers leak data—a distinction from modern double-extortion gangs.
Broader Impact:
The wave exposed the persistent risk posed by cracked software ecosystems. Dozens of open-source and indie software vendors reported downstream reputational damage as attackers co-opted their installers. The .ccps campaign served as a catalyst for several national CERTs to issue joint advisories warning against counterfeit download sites.