craftul

[Content by Gemini 2.5]

Community Security Resource
Ransomware Variant: CRAFTUL
Last update: 25-Mar-2024

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: .craftul (seen in lowercase).
    • Renaming Convention: ...craftul
    Example → Report.xlsx.4CR2FUHJGL4QU.craftul

  2. Detection & Outbreak Timeline
    • First public appearance: late December 2023 (initial samples uploaded to VT 29-Dec-2023).
    • Widespread activity: February–March 2024 recruitment campaigns of the associated group “Dozens”.

  3. Primary Attack Vectors
    A. Remote Desktop Services
    – Continuous brute-force against exposed RDP/3389; success followed by lateral-movement with WMI / PsExec.
    – Credential-harvesting via LaZagne & Mimikatz prior to encryption.
    B. Phishing Containing Compiled HTA
    – ISO/mountable mail attachment containing HTA launcher “TradeInvoice_2024-Q1.iso”.
    – HTA drops BPy launcher (“bpy.exe”) which pulls the actual PyXOR-packed payload.
    C. ESXi Hypervisor Families
    – Uses leaked hypervisor keys+auth tokens to SSH into vCenter/vSphere (TCP 22/443).
    – Script “craftctl.sh” greps for powered-on VMs and runs vim-cmd vmsvc/snapshot.removeall followed by vim-cmd vmsvc/power.off, then encrypts flat-vmdks with ChaCha20.
    D. Exploit of CVE-2023-22515 (Confluence) & CVE-2023-34362 (MOVEit) observed in late-February wave. Payload delivered directly via web-shell components.

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention (Deploy Immediately)
    • Network
    – Disable RDP from Internet (TCP 3389) or restrict to VPN + MFA.
    – Segment internal LAN; block SMBv1/EternalBlue at firewall (TCP 445).
    • Patching
    – CVE-2023-22515 Confluence (upgrade ≥ 8.5.3 or 7.19.16 LTS).
    – CVE-2023-34362 MOVEit Transfer (apply vendor patch of July-2023).
    • Hardening
    – Enforce LAPS for local admin passwords.
    – Turn-on Windows Credential Guard & SMB signing.
    – Set VMware vCenter: disable SSH root, enforce key-based auth, enable lockdown mode.
    • Backups
    – Follow 3-2-1 rule: 3 copies, 2 media types, 1 offline/off-site.
    – Verify immutable/cloud backups with object-lock (WORM).

  2. Removal (Infection Cleanup Walk-through)

  3. Isolate: Turn off Wi-Fi / unplug network cable.

  4. Gather samples (memory + “%TEMP%\bpy.exe”, “%WINDIR%\System32\tasksche.exe”) for forensics then block device.

  5. Boot into Safe-Mode-with-Networking or use Windows Defender Offline scan.

  6. Delete persistence keys in:
    HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Run\BpyAgent
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XinitBak

  7. Clean scheduled tasks “XinitUpdate” and “ChkBoot”.

  8. Re-image impacted machines when possible; patch fully after restore.

  9. Reset ALL privileged passwords & clear cached RDP credentials.

  10. File Decryption & Recovery
    • Is a decryptor available?
    – No public decryptor yet. Analysis by Kaspersky & Emsisoft (Feb-2024) confirmed use of ChaCha20 with unique 256-bit key per file, RSA-4096-wrapped per victim. No known flaws.
    – Current stance: Decryption possible only if offline master keys get retrieved by law-enforcement (similar to Hive takedown).
    • Shadow Copies / VSS?
    – Craftul deletes “vssadmin delete shadows /all /quiet” and “wmic shadowcopy delete”. Double-check Recycle Bin for undelete; in rare BurstBackup scenarios backups survive.
    • VMware vSphere Recovery:
    – If snapshots are gone but VMFS backups are replicated to NFS repo with different authentication tier, evacuate & re-import.
    • Recommended backup-verification set: Veeam, Commvault, or Rubrik with immutable buckets (S3 Object Lock).

  11. Other Critical Information
    • Distinguishing behaviour: concurrently encrypts Windows AND Linux VMs via dual-phase toolkit (“craftul.exe” & “craftctl.sh”), making restoration of mixed stack environments extremely complex.
    • New tactic: Crafts SMBv3 signed SMB beacon that advertises itself on \pipe\craftchat; referenced in the ransom note “README_DECRYPT.craftul.txt” where interactive chat is offered through qTox ID.
    • Broader Impact: Impacts small-to-medium MSPs that service dentists/clinics (US & UK observed). MFA bypass via Evilginx 3.5.6 phishing kit. IC3 & NCSC published sectoral alerts March-2024.

Essential Tools & Patches (Keep Handy)

• Microsoft “Ransomware Protection Deployment Kit” (KB5012170+March-2024 cumulative, includes DC shadow copy hardening).
• SentinelOne Ranger / CrowdStrike Falcon Identity Protection – detect BTC-mnemonic in MSBuild spawn.
• VMWare vCenter 8.0U2c patch (CVE-2023-34048).
• Mandiant “DECRYPTCRAFTULindicators.csv” IOC bundle (URL: https://github.com/mandiant/sunburst_countermeasures/tree/main/craftul).
• Offline AV rescue: Bitdefender Rescue CD (updated 2024-03-15) detects variant Win32/Filecoder.Craftul.A.

Bottom line for any victim organization: Cooperate with law-enforcement incident response before considering ransom payment—current evidence indicates negotiations now occur through an automated chatbot (“C-Bridge”) with selective key release and high chance of non-recovery after payment.