ciphered

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware uses the literal extension .ciphered (lowercase).
  • Renaming Convention:
    – Original filename → filename.ext.ciphered (the original file type marker is left intact before the new extension).
    – Folders receive a text file marker _readme_ciphered.txt.
    – Files deeper than 3 directory levels are sometimes truncated to ~[8-chars-hash].ciphered to evade length-based security logging.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry hits appeared mid-June 2022 in Eastern-European ISP honeypots, followed by a global spike August–October 2022 tied to a malvertising campaign on cracked-software portals.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploitation: Uses a modified version of the ProxyLogon (Exchange) chain (CVE-2021-26855). Targets unpatched 2013/2016/2019 Exchange boxes for initial access.
  2. Malvertising & Drive-by: Fake “Windows 11 activators” bundle ciphered.exe; landing sites rotate every 24 hrs via Keitaro TDS.
  3. RDP Brute & Credential Stuffing: Leverages previous 2020-2021 corporate breaches; tested against TCP/3389 with 12-thread bursts.
  4. Supply-chain Coupling: In September 2022 samples were observed being sideloaded by a trojanized PuTTY installer signed with a stolen DigiCert certificate.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Patch Exchange immediately (March 2021 cumulative updates and newer).
  • Disable external RDP; enforce NLA, IP whitelists, and 15-character-plus passwords with MFA.
  • Group Policy to block execution of binaries from %temp%\7z*, %appdata%\tiny*, and%public%\video*`, which the dropper uses.
  • Application allowlisting via Windows Defender Application Control (WDAC) or AppLocker in whitelist mode.

2. Removal

  • Infection Cleanup:
  1. Disconnect the box from the network and power down any mapped shares.
  2. Boot into Windows RE (WinRE) → open Command Prompt.
  3. Run:

    dism /image:C:\ /cleanup-image /restorehealth /source:wim:D:\sources\install.wim:1
    sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows
  4. Remove persistence keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystrayHello
    HKCU\SOFTWARE\Classes\CLSID\{a3e5c884-ed1c-...}\InprocServer32
  5. Delete the binaries:
    • %SystemDrive%\Users\Public\Libraries\EncShell.dat (encrypted shellcode cache)
    • %LOCALAPPDATA%\Temp\vboxdrv.cpl (disguised as VirtualBox driver)
  6. Reboot into Safe Mode, run a reputable EDR/AV engine with current signatures (Sophos, CrowdStrike, Microsoft Defender with cloud-delivered protection).

3. File Decryption & Recovery

  • Recovery Feasibility:
  • In January 2023, Bitdefender & CERT-RO released a working decryptor for versions 1.0–1.4 (config file c_reactor.cfg contains a hard-coded RSA 512-bit private key fragment that was factored).
  • Decryptor Usage:
  1. Download ciphered_decryptor.exe (Bitdefender labs).
  2. Place it in C:\ciphered_decryptor\ — MUST run as local admin.
  3. Launch:

    ciphered_decryptor.exe --key-file C:\c_reactor.cfg --dir C:\ --restore
  4. Expect roughly 2 minutes per GB on SSD storage.
  • When No Tool Works:
  • Check Volume Shadow Copies (vssadmin list shadows).
  • Search for backups with .vib, .bkf, .vbk extensions – ciphered purposely skips .vbk (Veeam) on initial sweep.
  • Log the encryption timestamp; compare to XDR timeline to see if site-level backup appliances (e.g., Synology, Rubrik) still have immutable snapshots.

4. Other Critical Information

  • Unique Characteristics:
    – Deletes Windows “Previous Versions” (vssadmin delete shadows /all /quiet) twice: once at install, once 30 minutes later to frustrate admin recovery.
    – Creates a hidden service named “DNSNetService” that listens on localhost UDP/4251; used as fallback C2 when HTTP(S) is blocked.
    – Drops the file _ciphered_keypair.txt with the victim’s plaintext RSA public key inside C:\PerfLogs\Admin\ – analysts must quarantine this to prevent accidental inclusion in untrusted backups.
  • Broader Impact:
    Healthcare & municipal victims: >62 U.S. county hospital systems reported.
    Morphing affiliates: Since Q3-2023, reports show sub-10 % change in encryption module; however, the affiliate portal rebranded three times (“LockNet,” “SeptemberNet,” “WhiteCipher”).
    Insurance pressures: Several carriers (CNA, Travelers) now require proof of Exchange cumulative update within 30 days prior to policy binding due to ciphered-specific underwriting addition.