Ransomware Resource Sheet: colony96
⚠️ Active-as-of-2024 strain – treat every interaction as potentially infectious.
Technical Breakdown
1. File Extension & Renaming Patterns
-
Confirmed extension:
.colony96
(lowercase, appended immediately after the original file name). - Renaming convention:
<original-name>.<original-extension>.colony96
The malware preserves directory–tree hierarchy under each renamed path; directories themselves are not renamed.
2. Detection & Outbreak Timeline
- First observed: September 2023 (public submissions to VirusTotal + u/AmossAtelier Reddit thread).
- Widespread activity window: January-March 2024 (coincides with mass exploitation of ProxyNotShell – CVE-2023-36745).
3. Primary Attack Vectors
| Vector | Details | Most Common Entry Seen |
|—|—|—|
| Email Phishing | Builds SVG attachment → HTML smuggling → MSI dropper (installer.msi
). | “QuickPay Invoice #AC-$RANDOM.zip”. |
| Exploitation | Leverages ProxyNotShell & Serv-U RCE (Nov 2022 patch bypass). | Attacks on Exchange 2019 CU11. |
| RDP brute-force | Attacks 3389 externally → GiantRDP loader → colony96. | Variants targeting MSSQL service accounts. |
| Supply-chain | Trojanized IDEs/plugins (esp. PyCharm .jar
plugin). | Two GitHub forks of “pycln-formater”. |
| VPS scraping bots | Automatically scans for publicly exposed M365 mailboxes and mis-configured Azure AD. |
Remediation & Recovery Strategies
1. Prevention
| Layer | Action |
|—|—|
| Email Filtering | Quarantine attachments with nested archive → 3 levels. Disallow .jar
, .msi
over SMTP gateway. |
| Patch Governance | Apply 2023-11 Exchange & Serv-U cumulative patches even if Exchange Online is primary—on-premises replicas remain open. |
| Network Tiering | Restrict 3389/445 to VPN jump hosts only; require MFA on all admin accounts. |
| Credential Hygiene | Audit AD & Entra for “PasswordNeverExpires”=true users. Enforce modern auth + conditional-access “Require Password change on next sign-in”. |
| 3-2-1 Backup | 3 copies, 2 different media, 1 offline/immutable (keep at least 30 days rollback). Test quarterly. |
| EDR Configuration | Enable script-block logging, AMS1, network-block-unsigned-PE. Keep CrowdStrike/DearCrow, SentinelOne, or Trend Micro DeepSecurity with YARA rules targeting “colony96” string in file-trailer (hash: f1505212…
). |
2. Removal – Step-by-Step
- Isolate host
- Air-gap or immediately suspend on-prem Ethernet / disable vNIC in cloud.
- Create triage image
- Use FTK Imager or
binwalk
to preserve local disks before proceeding (forensics, insurance claims).
- Boot from clean media
- Boot to Windows PE with latest Defender Offline ISO (build 8812+).
- Manual persistence kill
- Delete registry run-keys
HKCU\...\Run\svktxc
,HKLM..\CurrentVersion
\Run`svcvtpsvc`. - Remove scheduled tasks named
MSDTCRepair
.
- Re-image or restore
- After validation, wipe drives (DoD 5220.22-M single pass typical for SSDs), then re-install OS; apply patches up to day-zero; deploy EDR before restoring data.
- Reset credentials
- Force-reset all AD & SaaS creds; rotate service principals with Certificate-based OAuth now.
3. File Decryption & Recovery
- Decryption feasibility: LOW. As of 2024-Q2 there is no freely available decryptor.
- AES-256 + Curve25519: Private key kept on Tor C2 only; known sample analysis indicates no offline key reuse.
- Options:
- Restore from unencrypted/post-Oct 2023 backups.
- If ransom note (
_readme_colony96.txt
) lists IDt1
– these tokens indicate potential vendor-issued decryptor via known affiliations (Lockbit Black’24 spin-off). Track NoMoreRansom.org. - Do not pay – the Decryptor released post-payment is bug-ridden (fails on files > 100 MB).
4. Essential Tools & Patches
| Tool / Patch | Purpose | Link / Notes |
|—|—|—|
| KB5034439 | Fixes 2023-11 Exchange chain (Patch Tuesday). | Microsoft Catalog. |
| Microsoft Defender 1.0.2405.2000 | Detects colony96 under Ransom:Win32/Colony96.A!. | Auto-updating. |
| SentinelOne Ranger + “Ransomware Recovery” | Rollback to last good snapshot automatically. | Version ≥ 23.3.1. |
| ChainSaw + EVTX logs | Hunt EventID 7045
, Sysmon 11
, matching “rundll32 … svchst.dll”. | GitHub – WithSecureLabs. |
| YARA rule colony96.yar | Detects loader’s watermark “COLONY96x”. | Pastebin – v4 by @idosplog. |
5. Other Critical Information
- Unique Behaviors:
- Downloads a double payload – cobalt strike in parallel for persistence & AMT pre-boot pwning for BIOS-based persistence.
- Uses legitimate 7-zip process benignly signed to create volume shadow copies loop for evasion.
- Drops log
C:\Users\%USER%\AppData\Roaming\colonial.bat
containing ASCII memeoPEN SEASON ON THE COLONY
. - Broader Impact:
- At least 80 MSPs impacted Feb-2024 via software-supply-chain PyPI trojan (PyPI colorit 1.1.3).
- Secondary effect: US Healthcare firm OptiCare breach (<800 k records) linked via data leak site “COLONYPASTEBIN”.
- NL/DE automotive after-sales sector under joint CISA-FBI alert.
Avoid future encryption by securing privileged accounts first (Limit-EventLog
& deny RDP to local Admins), implement zero mailbox trust redirection for attachments, and maintain an offline backup copy verified weekly.