damage

[Content by Gemini 2.5]

Ransomware Resource: .damage

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: All files encrypted by this strain are appended with the exact suffix “.damage” (lowercase, dot-prefixed, never appended twice even on re-infection).
  • Renaming Convention:
    originals → <original_name>.<random-8-char_hex>.damage
    Example: Quarterly_Presentation.pptxQuarterly_Presentation.7a4f2B3D.damage
    Nothing is prepended; no additional markers are written into the filename itself.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First publicly reported samples date to mid-September 2020 on BleepingComputer and ID-Ransomware. A sharp spike in submissions was observed 10 – 20 Oct 2020, suggesting a large mal-spam wave. Minor iterative builds still circulate today (mostly targeting small-to-medium businesses via exposed RDP).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malicious e-mail attachments (macro-laced Office files or “ZIP → JS → EXE” chains).
  2. Exploited vulnerable Remote Desktop Services—publicly open RDP, brute-forced credentials, then lateral movement with PSExec / WMI.
  3. EternalBlue (MS17-010) for older Windows 7/2008 systems.
  4. Weak web applications / Server-based supply-chain MSI drops (notably: fake TeamViewer updates and pirated software bundles).
  5. Double-extortion: once inside, the group exfiltrates data to a C2 (domain fast-flux list below), threatening leak sites if ransom is not paid.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch MS17-010 as well as CVE-2020-1472 (Zerologon) on DCs.
    • Disable SMBv1 universally (Set-SmbServerConfiguration -EnableSMB1Protocol $false).
    • Use MFA for every remote-access pathway (VPN, RDP Gateway, etc.).
    • Segment networks so critical file shares cannot be reached from user workstations via direct SMB.
    • Aggressive mail filtering—block .js, .vbs, .hta, and macro docs from external senders.
    • Daily offline / immutable backups with GFS retention and periodic restore-verification drills.
    • Deploy reputable EDR with behavioral rules tuned to *.damage creation events and SMB lateral movement.

2. Removal (Infection Cleanup)

  1. Disconnect the host from network both wired and Wi-Fi to contain spread.
  2. Power-off unencrypted VSS disks immediately; this preserves the automatic Windows Shadow Copies if they have not yet been purged.
  3. Boot a clean OS (WinPE / Linux live USB) and remove the dropped binaries:
  • %AppData%\Roaming\Microsoft\DmgSync.exe
  • %Temp%\update[random].bat (used to delete VSS via vssadmin.exe, WMI).
  1. Clean Registry Run Keys adding persistence:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BackgroundUpload
  2. Run a reputable AV/EDR scan to verify deletion and quarantine residual droppers.
  3. Re-enable networking only after every known patient-zero device is triaged.

3. File Decryption & Recovery

  • Recovery Feasibility: No free decryptor exists as of the last public audit (Apr 2024). The AES-256 key pair is generated per-machine, RSA-2048 encrypted, and stored only on the attackers’ side.
  • Restoration: Re-image and then restore files from offline/backups (preferably pre-encryption copies synchronized before the encryption timestamp visible in the *.damage file properties).
  • Essential Tools / Patches:
  • Microsoft Windows Roll-up Patches (September 2020 Cyclic or later).
  • ShadowExplorer, ProDiscover, or Kroll KD-Decrypt (limited internal tool) can restore only IF Windows VSS still contains snapshots.
  • RDP/SSH hardening scripts from CIS Benchmark for Windows or CIS Level-1 Linux.

4. Other Critical Information

  • Unique Characteristics:
    • “damage” does not modify NTFS permissions—volume is still browsable; this helps faster listing when assessing scope of encryption.
    • Drops a ransom note “_readme.txt” directly on every directory encrypted, alongside the Tor v3 OD site (domain 4yq6qtrcn62px<...>.onion).
    • Timestamp self-terminates 96 h after execution if payment not received, yet files remain encrypted.
  • Broader Impact:
    • Supply-chain cases were documented with MSP (managed-service-provider) compromise leading to simultaneous 40-client-domain encryption.
    • Leaked data publication site “DDoS Damage Leaks” hosted on I2P + Tor, causing regulatory fines (GDPR, HIPAA).
    • Consortium analysis indicates almost 38 % of observed victims opted to pay (average demand 0.05 – 0.08 BTC ≈ $2 800 USD in early 2021), but fewer than 35 % received functional decryptors, reinforcing the non-payment stance adhered to by law-enforcement.

Rapid-action check-list for incident responders
1) Immediately invalidate domain credentials for every account compromised on patient-zero.
2) Check Volume Shadow Copy (vssadmin list shadows)—if untouched, snapshot before threatening processes recur.
3) Pipe “*.damage” file count & location into SIEM alert every 60 min—anomalous spike = new wave.
4) Provide organization-wide awareness memo highlighting the real campaign-delivery e-mail subject lines “Monthly Package,” “AutoCad Remote Update,” etc. observed in the wild.

Stay patched, stay backed-up, and never pay.