china

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: china
    The ransomware appends the literal string “.china” as the new final extension, e.g., Document.xlsx.china.

  • Renaming Convention:
    – It preserves the original filename and any pre-existing extension, only appending “.china” once.
    – No random 4-6 character ID in filename (unlike Conti).
    – No email or onion address between the original filename and the new extension (unlike Phobos).
    – Drives/sub-folders are traversed alphabetically; the ransom note (README.txt) is dropped in every folder that contains encrypted data.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    Public emergence: late-September 2022 (earliest VT submissions with “.china” extension).
    Peak propagation window: Q4 2022–Q1 2023.
    Surge event: Exploitation of CVE-2022-40684 (Fortinet auth bypass) in Oct-2022 pushed global detection count from “< 10” to “> 700” submissions per week.

3. Primary Attack Vectors

| Vector | Typical Use | Exploited Vulnerability / TTP |
|——–|————-|——————————-|
| RDP / RDP-over-TOR | Initial foothold, lateral movement | Brute-force or previously-stolen credentials |
| Fortinet Edge Devices | Edge-to-LAN pivot | CVE-2022-40684 (zero-day at release time) |
| ProxyJump & VPN over SSH | Persist VPN tunnels after breach | Weak SSH key sets / reused keys |
| Spear-phishing | Drop malware loader | Weaponized ISO/IMG attachments with embedded HTML smuggling |
| Malicious ads & fake software installers (notably cracked releases of Adobe CC and AutoCAD) | Drive-by downloads | Rogue NSIS/PowerShell dropper fetching secondary payload |
| Living-off-the-land (LOLbins) for lateral tools | Uses WMI, PowerShell, certutil | No external binaries required after initial dropper

Remediation & Recovery Strategies:

1. Prevention

| Layer | Action | Rationale |
|——-|——–|———–|
| Network Segmentation | Isolate jump hosts (RDP gateways), FortiGate, VPN concentrators from end-user VLANs | Breaks lateral movement |
| OS-Level | Enable host-based firewall (block TCP 3389 egress from servers under SLA), disable NetBIOS + SMBv1 everywhere. | Shrinks exploitable surface |
| Authentication | Enforce Azure/NPS RADIUS MFA for any RDP tier; retire password-only VPN accounts. | Kills brute-force and reused-credential attacks |
| Patching Cycle | Emergency patch window < 24 hrs for Fortinet CVE-2022-40684, weekly for Win/SMB CVEs (EternalBlue group). | Removes the highest-leverage exploit chain |
| Offline Backups | 3-2-1 rule (3 copies, 2 media, 1 offline). Test restore monthly; encrypt backups with a separate key that is never available to production domain. | Defeats encryption + deletes \
| Email / Web Filters | Block ISO/IMG attachment types, restrict PowerShell & cmd.exe spawn from Office. | Tackles default phishing payloads |

2. Removal

  1. Disconnect affected machines from network instantly (pull Ethernet / disable Wi-Fi).
  2. Preserve evidence: Create a sector-by-sector image or export Windows event logs before any cleanup (needed for IOC hashes & insurance claim).
  3. Boot into Safe Mode with Networking.
  4. Manual removal via Windows Defender Offline (winver 1.369.x and newer):
  • Run MpCmdRun.exe -Scan -ScanType 3 -File ${malware_path}
  1. Registry & File persistence clean-up:
  • Delete run keys referencing C:\Users\Public\svchst.exe, C:\Windows\System32\xmrig-china.exe (dormant coin-miner module).
  1. Network indicators removal:
  • Flush DNS and clear any proxy settings introduced by malware (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings).

3. File Decryption & Recovery

  • Recovery Feasibility:
    No freely available decryptor as of June 2024: the payload uses secure AES-256 + RSA-2048 hybrid encryption; private keys are generated per campaign and stored on C2 over Tor.
    No known method to regenerate keys (seed math not flawed like Crysis).
  • Recommended Tools / Workflows:
    File-recovery via Volume Shadow Copy:
    • vssadmin list shadows, then mount shadow snapshots to copy unencrypted versions (mklink /d C:\tempmount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2).
      – If ransomware cleared VSS, try third-party undelete tools (R-Studio, DMDE) on HDD image because China ransomware first renames files and then deletes; unallocated sectors may still contain original blocks.
      Patch & Harden (see Prevention) is the only reliable counter-measure; keep encrypted data intact in case a future leak-dataset yields private keys.

4. Other Critical Information

  • Unique Traits:
    Double extortion pattern: Performs exfiltration of sensitive data to teamTNT-post.ch[.]onion before encryption; victims are threatened with leak if ransom not paid within 72 h.
    Embedded Monero miner persisting post-encryption: Even if ransom is paid, miner continues unless specifically removed. CPU usage spikes ~ 4 h after OS reboot if mining network is reachable.
    Domain controller activity: Will automatically add a new local backdoor admin (“chinaTool_$n”) – always remove from AD + reset KRBTGT.

  • Broader Impact / Headlines:
    Manufacturing sector in APAC reported the heaviest losses (Taiwan automotive supplier, Nov-2022, $78 M downtime).
    GitHub Issue #13341 – open-source contributors forked a Python loader-sniffer that identifies China-family traffic signatures; already integrated into Suricata (sig ID: 2036647).
    Wake-up call on Fortinet appliances – CVE-2022-40684 led to an 80 % spike in ransomware incidents on edge devices in 2022 (Joint CISA-JNCSC report, Jan-2023).

Bottom line:
.china is a human-operated ransomware strain that uses high-value perimeter vulnerabilities (Fortinet, RDP) and employs a hybrid extortion model. Because decryption is currently impossible, Swift isolation, offline backups, and patch/removal attention (especially removing the embedded coin-miner and cleaning up creds) are the only ways to regain 100 % operational capacity.