colony*

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: This strain appends .colony96, **.colony***, or similar, where * is an incrementing number (e.g., .colony96, .colony97).
  • Renaming Convention:
    Original file ➜ Photo.jpg.colony96
    Directories that contain at least one encrypted file have an additional note dropped: README.recover-instructions.txt.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First observed in large numbers in late May 2024; a sharp spike on 14 June 2024 when attackers leveraged the OpenFire SQL-injection RCE (CVE-2023-32315) to mass-deploy payloads.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Exploitation of public-facing services (OpenFire, ManageEngine ADSelfService, and Atlassian Confluence – CVE-2023-22515).
  • Malspam/phishing with .ISO and OneNote attachments that drop a stager calling PowerShell to download the final payload.
  • RDP brute-force followed by PSExec to push the binary across the subnet.
  • Lateral-movement script uses WMIC + NTDSUTIL to disable AV prior to encryption.
  • Payload deletes volume shadow copies (vssadmin delete shadows /all /quiet) and clears Windows event logs (wevtutil cl) to hinder forensics.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  1. Patch immediately: OpenFire ≥ 4.7.5, Confluence ≥ 8.6.0, ADSelfService ≥ 6.4 (build 6113).
  2. Block inbound TCP/5222, 7777, 9090 (OpenFire default) for non-LAN IPs.
  3. Harden RDP:
    • Require NLA + MFA,
    • Enforce Group Policy: Deny logons for built-in Administrator.
  4. Configure AppLocker or WDAC to block unsigned executables in %TEMP% (where the ransomware is usually unpacked).
  5. Maintain offline + immutable backups with the “3-2-1-1-0” rule.

2. Removal (Step-by-Step)

  1. Isolate the host (pull network cable / disable VM NIC).
  2. Identify the PID and parent: tasklist /fi "imagename eq colony*" ➜ kill any processes that match.
  3. Create a YARA rule: 
   rule colony_ransomware {
       strings:
           $a = ".colony9" ascii
           $b = "README.recover-instructions.txt" wide
       condition:
           uint16(0) == 0x5A4D and (any of them)
   }

Use Kape/EZ Tools or Velociraptor to quarantine executables.

  1. Nuke persistence:
  • Remove registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with values named colony-*.
  • Search scheduled tasks (schtasks /query /fo LIST | findstr colony).
  1. Reboot into Safe Mode w/ Networking and run a complete reputable AV scan (e.g., Windows Defender, ESET Online Scanner, Sophos Scan & Clean).
  2. Re-image or reset the PC if the ransom note indicates system-wide encryption – do NOT decrypt on the same OS partition to avoid re-encryption.

3. File Decryption & Recovery

  • Recovery Feasibility: Currently NOT decryptable for free; variants seen thus far use Curve25519 + ChaCha20 after offline key generation.
  • Check for universal decryptor: Occasionally the NoMoreRansom Project or TrendMicro publishes master keys—visit https://www.nomoreransom.org/en/scanner.html weekly and upload an encrypted file + ransom note for verification.
  • Essential Tools/Patches for remediation:
  • AV tools with bypass cleanup: TrendMicro Ransomware File Decryptor, Emsisoft EDR, Bitdefender Anti-Ransomware.
  • Logs extraction: Windows Prefetch, Windows Timeline (esentutl.exe), and Sysmon logs to reconstruct infection timeline.
  • OpenFire patch: openfire-4.7.5-1.x86_64.rpm or openfire-4.7.5-1.x86_64.deb (depending on distro) from OFFICIAL upstream Apache Ignite repo.

4. Other Critical Information

  • Additional Characteristics:
  • Deletes itself once encryption is complete, leaving only the ransom note—evasion against sandbox replay.
  • Ships with a kill_servers.ps1 script which halts 42 enterprise services (Exchange, SQL, Veeam) before encryption to speed up process and reduce chance of corrupt backups.
  • Uses Discord or Matrix bot tokens to exfiltrate file listings, plus public pastebin to drop victim lists. Check your egress logs for unusual POSTs to discordapp.com/api/webhooks/.
  • Broader Impact:
  • Launched against >1,200 SMBs globally in Q2 2024; double-extortion (stolen data leak site at hxxp://73fku6i2eyd2i3hhp.......onion) adds regulatory pressure under GDPR/CCPA.
  • Kill-switch: Researchers observed the binary checks for a hard-coded “.ololo” folder in C:\Windows\System32; creating that folder drops encryption after 30 seconds (but attackers patched this vector on 19 June 2024).