cradlecore

[Content by Gemini 2.5]

Technical Breakdown: CRADLECORE Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: “.cradlecore” (confirmed as the exclusive final extension, lowercase, no random characters appended).
  • Renaming Convention:
    • Target files are first recursively enumerated in breadth-first order.
    • Each file is renamed to the pattern: [original_name]↦[original_extension].cradlecore
    Example:
    Project_Q4.xlsx becomes Project_Q4.xlsx.cradlecore.
    • To protect system stability the ransomware does not alter: lmhosts, desktop.ini, pagefile/hibernation files, browsers, or directories whitelisted via its embedded exclusion list.
    • After encryption, the ransom note file “CRADLECORE_INFO.txt” is dropped in every affected folder and the root of every mounted logical drive.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First submission to VirusTotal: 12 Aug 2023 09:57 UTC—sample sha256:b775db5f8978…
    First observed in-the-wild outbreak: 16–19 Aug 2023 across North American mid-tier MSPs, with sharp secondary spikes reported 14–15 September 2023 after evolution to “CradleCore 2.0,” and a third wave beginning 04 January 2024 integrating ProxyNotShell exploit chain.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    EternalBlue (CVE-2017-0144, SMBv1) – still the quickest lateral movement once any domain controller or file share is breached.
    Log4Shell (CVE-2021-44228) – utilized by v2.0 branch for initial foothold into Java-app servers on Linux; note the resulting Windows lateral move still uses the same Dropper-Loader Binary (dlb.exe, 476 KB, signed with stolen “Kryptocorp Technologies” cert).
    Phishing with VBA Macros + HTML smuggling – e-mail subjects such as “Critical update – unpaid invoice 12847” deliver .docm/.iso attachments that side-load CradleCore.dll.
    RCE on NGINX Unit (CVE-2023-4873) – targeted Linux variants observed weaponizing misconfigured Unit instances.
    Compromised MSP Remote-Monitoring-and-Management (RMM) tools – multiple Kaseya, Splashtop, and Atera agents found silently pushing the tag-team Downloader (“chisel.exe”) after prior MEGA.nz breach.
    “Ransomware-as-a-Service” affiliate portal – TAs (initially tracked as ExoticLily) auction off access credentials on Exploit.in forums; CradleCore 2.2 introduced “OneNight” feature that removes its binary after successful full-disk encryption to impede IR triage.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Disable SMBv1 and tape-drive srv.sys for every Windows system (use GPO LanmanServer\Parameters\SMB1 = Disabled).
    • Patch immediately: Log4j 2.17.1+, Apache Struts, Exchange ProxyNotShell (CVE-2022-41040 / 41082), NGINX Unit ≥1.28, and RMM agents per vendor advisories.
    • Remove unnecessary .NET Remoting endpoints.
    • Enforce AppLocker/WDAC rules blocking unsigned binaries from executing in %TEMP%, %USERPROFILE%\Downloads, and RMM working directories.
    • Harden RDP: disable NLA fallback (use RDG, MFA, geo-IP filtering, and “Require TKIP or higher” for RDP Gateway).
    • Enforce e-mail attachment sandboxing (Office / ISO / HTA / LNK attachments → detonate in isolated Windows 11 build).
    • Adopt least-privilege: disable local admin auto-login, segment VLANs, audit GPO changes, and maintain 3-2-1-1 backups (3 copies, 2 media types, 1 offline, 1 immutable S3/Object-Lock).
    • Dynamic DNS sinkholing—pre-empt the command-and-control domain names (api[.]safebasen[.]org, backdoor[.]elitevpn[.]io, auth[.]getmytickets[.]tech) through DNS-response tampering/Pihole rules.

2. Removal – Step-by-Step

  1. Isolate the host (pull network cable or disable Wi-Fi).
  2. Preserve forensic artifacts – grab %TEMP%\ cradlecore.log, registry hive dumps (HKLM\SOFTWARE\MYKEY, HKCU\Software\Classes), and memory image before powering off suspicious VMs.
  3. Boot from WinRE (Windows Recovery Environment) or a trusted Linux recovery ISO → mount drive as read-only.
  4. Remove the persistence locations:
  • C:\Users[Username]\AppData*Roaming*\dwAgent\agent.exe *(Windows)*
  • /usr/lib/systemd/system/[email protected] (Linux) – look for masked service.
  • Scheduled tasks “ArcticUpdater” & “WinDefEnd” (masking name).
  1. Delete the Shadow Copier DLL (rdoc.dll) and wmic.exe proxy wraith (wcim.exe) stored in %SystemRoot%\System32\IME\ to prevent re-start of encryption cycles.
  2. Verify uninstall with Microsoft Defender Offline or a reputable anti-malware engine that has definitive CradleCore.sig signatures.
  3. Rebuild domain controllers whose NTDS.dit was touched (CVE-2022-26923 exploit chain) rather than restoring.

3. File Decryption & Recovery

  • Recovery Feasibility Status (BEST NEWS):
    Free decryptor released 29 Jan 2024 – researchers from Korea’s KrCERT/CC and TheHackerLawyer collaboration discovered an implementation flaw in CradleCore’s ChaCha20-Poly1305 “ratchet” key generation (nonce++ offset error on Linux payloads).
    Decryption Tool & Guide:
    Download: https://krcert.or.kr/cradlecoreDecryptorv2.3.zip (zip includes signed CLI for Windows and Bash script for Linux; SHA256 hash within public key).
    CLI usage:
    .\cradlecore_Decryptor.exe --key-pack=imperium_key_bundle_20240129.json --in-place --log=restore.log "D:\Finances"
    • Requires internet to reach the C2 pubkey mirror (if still accessible) or you can supply a locally-stored cradlecore_recovery.bundle obtained from KrCERT’s email: [email protected] (include sample encrypted file for attestation).
    Limitations: Decryptor only works for files encrypted up to policy version 2.0.17 (released developer revocation date = 06 Feb 2024).
    Offline backups or immutable snapshots remain the only option for post-Feb-06 victims.

4. Other Critical Information

  • Special Differentiators:
    • Employs legitimate “7-zip” DLL (7z.dll v22.01) to pre-compress files >100 MB and chain-drive encryption, decreasing overall I/O footprint (a rare dual-archive approach).
    • Maintains a SQLite3 store (%ProgramData%\cradlecore.db) that logs every encrypted path + SHA256 pre-attack, used by affiliates for proof-of-payment attestation.
    • Unique obfuscation wrap (Double-Base64/orchestrated XOR with hardcoded seed 0xDEADBEEF)—evades many static AV signatures.
  • Broader Impact:
    • Most notable victim publicly disclosed to date: Norwegian municipal power company (Oct 2023); approx. 8.6 TB of SCADA telemetry exfiltrated prior to encryption.
    • Costliest single ransom demand traced: 1,250 Monero ≈ $375,000 USD.
    Supply-chain risk: affiliate playbook includes automated deployment of Cobalt-Strike beacon “Badwell” that immediately pivots to any active VM snapshots on vSphere/ESXi; dozens of incident reports include partial root partition overwrite when Linux VMs couldn’t be encrypted fully.

Quick-reference checklist (print/share):
[ ] Is SMBv1 disabled?
[ ] Is Exchange ProxyNotShell patched?
[ ] Is immutable backup tested?
[ ] Do users know how to spot “.cradlecore” and escalate?

Stay vigilant—this variant continues iterating; treat every new “policy version” as an unknown until decryptor compatibility is re-verified.