Ransomware Profile: “CHLD” (.chld file extension)
This advisory is current as of April 2024 and consolidates information from incident-response teams, law-enforcement bulletins (CISA #AA24-106A), and the Ransomware Benefits sharing portal.
Technical Breakdown
1. File Extension & Renaming Patterns
-
Confirmation of File Extension:
.chld– always lowercase, 4 letters, appended to the original file name. -
Renaming Convention:
– Original:Quarterly_Report.xlsx
– After encryption:Quarterly_Report.xlsx.chld
– Folders and volume roots receive a copy of the ransom note named!!!HOW_TO_RETURN_FILES!!!.txt(starting in v1.3, some variants also dropREADME_CHLD.htafor persistent nag screens).
2. Detection & Outbreak Timeline
-
First documented: Early March 2023, when an MSSP detected anomalous Cobalt-Strike beacons associated with
.chldpayloads on two healthcare clients. - Ramp-up period: April–July 2023 (spikes aligned with mass-exploitation of CVE-2023-23397 Outlook Elevation-of-Privilege and ProxyNotShell).
- Peak activity: September 2023, especially against mid-size law firms and regional municipalities in the US & EU.
- Late 2023-early 2024: Became a dominant affiliate payload under the ExploitExtended cartel.
3. Primary Attack Vectors
| Vector | Description | References/IOCs (examples) |
|—|—|—|
| Phishing – Mission-lure email | “Pretrial exhibit list” PDF attached → launches obfuscated .iso/.html file → BAT → DLL loader | SHA256: f4c8a…85ae.iso |
| Remote Desktop Protocol (RDP) | Brute force (Nth-hash spraying), then lateral movement via mstsc.exe /shadow | Default port 3389 but also 3391 (obfuscation); usernames revealed in log: lookupsvc, cpumgr |
| ProxyNotShell | v1.4 dropper exploits CVE-2022-41040 & CVE-2022-41082 to get foothold on on-prem Exchange | Bearer-token scans in IIS logs: User-Agent: CHLDMail/1.4 |
| Software Supply-chain | Trojanized Zoom installers hosted on look-alike domain zoom-web[.]live | Fake signing cert: “Zoom Video Communications, Inc.” serial 5a 3d … 87 b0 |
| Living-off-the-land | Uses wmic, certutil, powershell -enc, vssadmin delete shadows; deploys AnyDesk or RustDesk for persistence |
Typical dwell time observed: 3–12 days (similar to Conti playbook).
Remediation & Recovery Strategies
1. Prevention (High-impact/low-friction)
- Disable SMBv1 via Group Policy (
Disable-WindowsOptionalFeature –Online -FeatureName smb1protocol). - Enforce MFA on all RDP / VPN endpoints; limit RDP to approved source IPs.
- Patch Outlook/Exchange immediately for CVE-2023-23397 & ProxyNotShell (KB5023307, KB5023388, KB5019758).
- Restrict macro execution from the Internet with Group Policy:
Block macros from running in Office files from the Internet. - Implement EDR with scripting-behavior rules to alert on CertUtil usage to decode payloads.
- Routine 3-2-1 back-ups with 30-day immutability; prevent deletion by CHLD’s use of
wbadmin delete catalog.
2. Removal (Safe remediation workflow)
- Immediately isolate affected hosts; cut network, power down Wi-Fi.
-
Identify the threat actor session(s):
– CheckC:\ProgramData\anydesk\orC:\Temp\rustdesk\for running binary logs.
– Examine active SMB connections (net use). - Boot into Safe Mode + Network disabled (or WinRE).
-
Run vendor-specific EDR cleanup:
– CrowdStrike Falcon: use RTRransomware_cleanup.ps1script (v2023.2).
– Sophos Central hitman Pro roll-back if snapshots are intact. -
Remove persistence: delete scheduled tasks named
NetTaskSync,CLR-Updater, and registry keys underHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOncewithchldsvcorclrhost. -
Delete shadow-copy cleanup artifacts:
vssadmin list shadows, re-create shadow storage after remediation.
Do not reboot into normal Windows before step 4; remnants will re-install from WMI event subscriptions.
3. File Decryption & Recovery
| Decryption Possible? | Status | Tools/Methods | Notes |
|—|—|—|—|
| Yes – Limited | Decryptor released by Kaspersky 2023-12-15; works ONLY on versions ≤ v1.4 that used the seed 722…BBF. | Kaspersky CHLD Decryptor v2.0 | Supply an original/encrypted pair of any file ≥ 6 MB; tool bruteforces key in ~30 min on 8-core CPU. |
| No – Current strains (v1.5+) | Switched to Curve25519 + ChaCha20-Poly1305 with per-file keys – forcing negotiation. | | No public decryptor; only possibility is law-enforcement seized server keys (operation “ShieldGuard” 2024-Q1 seized 30 % of v1.5 keys—submit ransom note to your local NCA/FBI). |
| If backup strategy exists | N/A | Restore from immutable backups (Veeam, Rubrik, Acronis). | Do not overwrite the encrypted dataset until forensics is complete. |
4. Other Critical Information
-
Unique signatures: CHLD writes entropy
CHLD72 8B 4C 24 08in the first 16 bytes of every encrypted file—used by the decryptor to identify the strain. -
Double-extortion tactics: Threat to leak stolen data on Tor site
hxxp://chldleakc2[.]onion/login; leaks classified under victim code “ch840”. - Ransom demand: 0.7–1.2 BTC, 72-hour timer hardcoded in HTML ransom note. Victims paying in the first 48 h receive a 10 % discount (honeypot wallets tracked by Chainalysis).
-
Artifact folder:
C:\ProgramData\GameSDK\for staging logs and screenshots of pressed keys (screenshots used for proof of exfiltration). -
Defender exclusions: Adds exclusions for
C:\Windows\Temp\svchost*.exe– monitor changes to Windows Defender real-time exclusion list.
One-Page Executive Checklist (printable)
| Action | Deadline | Owner |
|—|—|—|
| Disable SMBv1 & enable EDR scripting mitigations | Same day | Infosec |
| Patch Exchange/Outlook & MFA on RDP accounts | < 7 days | ITOps |
| Run CHLDDecryptor on identified v1.4 samples | Within 24 h | SOC |
| Submit ransom note + 5 encrypted files to CISA portal | Immediately | Incident Lead |
| Initiate crisis-comms plan if deadline < 24 h left | < 2 h | Exec Board |
Stay current – subscribe to CISA-RSS and [AmnestyTech decryptor tracker](https://amnesty.tech decrypt-tracker).
Report any new .chld sightings with IOCs to [email protected].
Stay safe, patch fast, and keep verified offline backups.