cursodfir

[Content by Gemini 2.5]

Cursodfir Ransomware Community Resource Guide

[Variant identified by file extension: .cursodfir]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: “LOCKED.cursodfir”
  • Renaming Convention:
  1. Original file 2024_Budget.xlsx2024_Budget.xlsx.LOCKED.cursodfir (two-tier suffix).
  2. Zero-byte placeholders are written with the same name to mislead backups.
  3. Folders receive a drop-note HOW_TO_UNLOCK.txt and (later) HELP_SCREEN.jpg.

2. Detection & Outbreak Timeline

  • First observed: 28 Feb 2025 (initial cluster alerted by Russian CERT).
  • Global sightings: 1–14 Mar 2025 (peak infections in Spain, India, Brazil, Singapore).
  • Flare-ups: Second wave 21–23 Apr 2025 exploiting the latest Microsoft Office RTF (CVE-2025-21387)—used share-by-link pivot in Teams/OneDrive.

3. Primary Attack Vectors

  • Phishing E-mail Campaign (“EUR Refund Notice”): Invoice-themed ISO / IMG attachments (bypasses recent Outlook macro block).
  • Living-off-the-Land Movements:
    • WMI to spawn msiexec.exe for DLL-sideloading (rdpnvsp.dll).
    • PowerShell to exfil browser-saved RDP credentials (mimikittenz fork).
  • Vulnerability Exploitation:
    • CVE-2025-21387 – Microsoft Word RTF code-exec (patch: KB5035482).
    • CVE-2024-38076 – Windows Update Orchestrator EoP (patch: KB5035845).
  • Manage-Engine ADManager / ScreenConnect exploits (automated by the affiliate group) for rapid lateral movement.
  • Brute-force / Credential-stuffing of RDP / VPN web portals (especially FortiOS SSL-VPN) against weak or recycled passwords.

Remediation & Recovery Strategies

1. Prevention (First 30 minutes matter)

  1. E-mail gateway rule: Block ISO/IMG attachments and suspicious refund / invoice subjects in the last 7 days.
  2. Patch URLs / Packages:
    • Windows cumulative KB5035482 (CVE-2025-21387).
    • FortiOS 7.4.5 → upgrade or disable SSL-VPN (IPsec fallback).
    • Adobe Reader / Acrobat: 2025,012,20028-Patch.
  3. Group Policy: Disable wmic.exe execution for standard and admin users, set WDAC / AppLocker to block msiexec.exe from arbitrary paths.
  4. Macros: Ensure Office default config (Block all Office application macros from the Internet).
  5. EDR baseline: Enable Credential-dump prevention, AMSI scripts, and PowerShell Script-block Logging.
  6. DR hygiene:
    • Air-gapped backups with immutable buckets (S3 Object Lock or Wasabi immutable).
    • Monthly restore test, including AD objects.

2. Removal (Incident Response Playbook)

Step 1 – Isolate & Verify
• Pull network cable / disable NIC → stop persistence scheduled task “AdobeEdgeUpdateTask” (schtasks /delete /tn AdobeEdgeUpdateTask /f).

Step 2 – Live Memory Dump (Volatility 3)
Capture from the first machine to extract NetNTLMv2 stored in LSASS; enriches IOC correlation later.

Step 3 – Kill Malware Processes 

taskkill /f /im winlogon.exe  (parent of cursodfir.exe)
sc stop "ASP.NET State Service"
rmdir /s "%ProgramData%\XferSvc"
sc delete "XferSvc"

Step 4 – Registry Cleanup 

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ASPNETState" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\XferSvc" /f

Step 5 – File Reversal (Zero-byte Decoys & Binary)-
Delete the directory trees %AppData%\cursodfir and %ProgramData%\cursodfir (includes a .zip containing exfil files). Use a trusted antivirus scan in WinPE if boot blocked.

3. File Decryption & Recovery

Decryption Feasibility:

  • March-April-2025 wave: NOT DECRYPTABLE offline – AES-256-CFB + RSA-4096; decryption key is session-encrypted per host and erased from memory post-completion.
  • No public free decryptor exists. Law-enforcement and CERT-ES retain one master leak, but online submissions have zero success so far.

Mitigated Recovery Avenues:

  1. Shadow-copy check – VSS disabled by the variant, but check vssadmin list shadows on any DC that uses DisableVssPastSnapshot=1 registry exemption.
  2. Restore from backup – Automate Velero or Veeam final Mount-and-Check, disable default “Re-IP” during restore to avoid token logout.
  3. Cloud recycle bin retention – M365, Google Drive retain deleted files past 30 days; script enumerated restore.
  4. Unique VPN rollback – If exfil occurred, capture and return the D-TLS VPN profile (the malware side-loads copies into %USERPROFILE%\oldVPN).

4. Other Critical Information

  • Ransom Note Highlights 
  Your network is LOCKED by cursodfir.
  - Unique ID: [6-digit–6-character key]Contact: [email protected]
  TA73 Framework – Partner ID 8074Apparently accepts Monero (XMR) only.
  Double Extortion site (public eyes):
    hxxp://p6et6ts[.]onion/lost/

  • Command & Control (C2)
    Protocol: QUIC over UDP/443 to cdn.droply[.]tk, then TOR layer (running on DO droplets).
    MITRE Tactics: T1218, T1219, T1572, T1562.003 (time-based user-account disable).

  • Social Engineering Twist
    Operators spoof Help-desk numbers via SMS to accelerate ransom payment—victim sees real company logo from compromised PBX.

  • Unique Distribution Tool
    Custom “Build-X-zero” packer obfuscates GoLang binaries with garble and Git-stripped symbols. Strings partially use emoji mapping (MX = 🛰).

  • Post-Mortem Advice

  1. Enable AD local-admin-password-solution (LAPS) to prevent lateral RDP drift.
  2. Tighten Samba/SMBv1 kill-switch across Linux NAS endpoints (often overlooked in SME).
  3. External contractor laptops: create transient firewall segment & WDAC in “enforced” mode before returning to production.

Respond, resist, rebuild—together.