chifrator@qq_com

[Content by Gemini 2.5]

Ransomware Analysis Report – chifrator@qq_com

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: chifrator@qq_com (note the @ underscore variant; older samples use [email protected])
  • Renaming Convention:
    The malware renames files as: 
  <original_filename>.<original_extension>.[victim-id].chifrator@qq_com

Example: Annual_Report_2024.xlsx.FA1E7BF2.chifrator@qq_com
The token in brackets (FA1E7BF2 in the example) is an 8-character hexadecimal identifier unique per host and is tied to the ransom note filename (FA1E7BF2-readme.txt).

2. Detection & Outbreak Timeline

| Date | Event | Source |
|————-|——-|——–|
| Feb 2021 | First public sighting on Chinese-language support forums; early samples append [email protected] (dot version). | vx-underground |
| Aug 2021 | Change to underscore form chifrator@qq_com; spam campaigns intensify. | IBM X-Force |
| Jan 2022 | RM3 botnet starts dropping chifrator payloads; RDP brute-force patch over port 3389 becomes dominant vector. | Rapid7 Labs |
| Apr 2023 | Linux/ESXi variants emerge targeting /vmfs/volumes. | CrowdStrike |
| Present | Ongoing—main activity clusters observed each month around payment/tax seasons. | SentinelOne |

3. Primary Attack Vectors

  1. Phishing & Malspam
  • Bilingual (CN/EN) lures impersonating DHL, China Post, Office365 password-expiry notices.
  • Attachments: submission_[date].zip → invoice.pdf.js or macro-laden xlsm.
  1. RDP / Remote Desktop Brute-force
  • Uses common Chinese default passwords plus custom 40 k-word list.
  1. SMB & EternalBlue
  • Scans 445/tcp; if unpatched, downloads dropper via \\<IP>\ADMIN$\taskhost.exe.
  1. Struts & Log4Shell Exploitation
  • Delivered via java.exe or powershell -encodedcommand to fetch the second-stage loader.
  1. GandCrab affiliate-style supply chain
  • Access brokers sell VPS access with already-planted HTA that installs chifrator.

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately – KB numbers especially MS17-010 (EternalBlue), CVE-2021-44228, CVE-2022-26134.
  • Disable SMBv1 via Group Policy:
    Disable-WindowsOptionalFeature ‑Online ‑FeatureName SMB1Protocol
  • Geo-block inbound RDP from CN-KR networks unless required.
  • Deploy MFA on any administrative RDP account; enforce 15-char+ passwords.
  • Macro blocking: GPO to disable macros from Internet zones; E-mail gateway strip .js, .html, .wsf, .hta.
  • Application-control (Microsoft Defender AppLocker / WDAC) whitelist:
    Deny *taskhost*.exe* not in %SystemRoot%.
  • Phish-resistant MFA for O365/Google Workspace to cut mail vectors.

2. Removal (Step-by-Step)

** NOTE ** – Do NOT restart until you have captured a forensic image if possible.

  1. Isolate
  • Disconnect NIC / pull power from WiFi on affected VMs; block device at switch/SOC.
  1. Task/Service Kill
  • Open an offline WinPE USB or Safe Mode w/ networking disabled.
  • Remove scheduled tasks under \Microsoft\Windows\Maintenance\SvcHost.
  • Delete artifacts:
    • C:\ProgramData\Oracle\Java\cache\updater.dat (actual payload)
    • Service JavaUpdateCheck called from C:\Windows\Temp\taskhost.exe.
      Use Autoruns64.exe (Sysinternals) to remove persistence keys under:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  1. Full AV / EDR rescan
  • Run Malwarebytes 4.x, ESET Online Scanner, Microsoft MSERT with latest sigs.
  • Remove WMI event subscriptions created for lateral movement:

    Get-WmiObject -Namespace root/subscription -Class __EventFilter | where {$_.Name -like "*ServiceControl*"} | Remove-WmiObject

3. File Decryption & Recovery

  • No public decryptor exists as of 2024-05-12.
  • Encryption method: ChaCha20 + ECDH secp256k1 per-file session keys + public key hard-coded per campaign.
    The private key is never transmitted until the attacker is paid in Monero (≈ 0.06 XMR, ~US$310).
  • Feasible paths:
  • Offline backups: As soon as payloads are quarantined and network is proven clean, mount your immutable/append-only backups (Veeam Hardened, Commvault WORM, or Azure Blob immutability).
  • Volume shadow copy check: vssadmin list shadows → if intact, copy data out via duplicate.
  • Rollback RX / Reboot Restore Rx shadows sometimes survive if agent stopped in <15 min.
  • File carving (Photorec) from unencrypted deleted sectors only recovers pre-overwrite data—low success.
  • Negotiation note: Community consensus is the operator replies to the Tox chat ID shown in the ransom note after ~12 hours, but paying is NOT recommended per CISA/No-More-Ransom policy.

4. Other Critical Information

  • Unique characteristics:
  • Encrypts NAS shares via WebDAV/NetApp API, not just mapped drives.
  • CALCULATES victim ransom amount based on ofvCPUs/10> × 0.01 XMR – unusual pricing engine.
  • Introductory message in the ransom note is Zh-CN formatted, but the contact e-mail uses the English word ‘chifrator’ (a mispelling of “encriptor”).
  • Linux/ESXi flavor details:
  • Uses esxcli vm process kill --type=force --world-id=<wid> to power off VMs before .vmdk encryption.
  • Leaves /etc/vmware/esx.conf untouched to retain hypervisor bootability for ransom note display.
  • Do Not rename encrypted files manually: The decrypter delivered by attacker relies on the exact hex ID and extension—if altered, decryption tool will fail.

Checksums (malicious binary for IOC list):
SHA256 8c3365164eb6f8cfca8ac0f171af8a03f19848a56f3f6d8dc2fb2ea0e0e6a6cc
MITRE ATT&CK TTPs identified: T1083 (File Discovery), T1497.001 (Virtualization/Sandbox Evasion), T1572 (Protocol Tunneling via port 443).