dcom

[Content by Gemini 2.5]

Ransomware Community Resource
Variant: “.dcom”

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension in Use: “.dcom” – the literal lowercase string appended to every encrypted file.
  • Renaming Convention: Original file-name + “.id-<8-char Victim-ID>.[].dcom”
  • Example: Invoice_AUG2024.pdf → Invoice_AUG2024.pdf.id-A3B7C2D1.[[email protected]].dcom
  • Exactly one secondary dot is preserved (File.ext.dcom). The extension is written in all-lowercase on all OSs.

2. Detection & Outbreak Timeline

  • First Public Sighting / Widespread Distribution: Early July-2023. MongoDB & Elasticsearch honeypots first recorded the specific ransomware notes (“!readme.txt”) on 06-Jul-2023; peak infection waves occurred October-2023 through March-2024.

3. Primary Attack Vectors

  1. Phishing+ISO chain: ZIP → ISO → .LNK → .NET stager. Subject lines “New DHL_Scan” or “W2-2023-Updates”.
  2. Exploitation of
    Fortinet SSL-VPN (CVE-2018-13379, CVE-2020-12812, CVE-2021-40684) leading to reverse-Tunnel access.
    Windows DCOM+RMI components (no CVE, relies on cleartext NTLM+RPC on 135/596) after credential stuffing.
    Jenkins “script console” (CVE-2024-23897) to drop “javains.exe” which unpacks the dcom loader.
  3. RDP brute-force / compromised MSP tools (ScreenConnect, AnyDesk) → Cobalt Strike sleep-then-dcom.

Remediation & Recovery Strategies

1. Prevention

• Patch immediately: Fortinet firmware >= 7.2.8 (or latest respin), Jenkins >= 2.451, Windows March-2024 cumulative update.
• Require MFA on ALL VPN & RDP endpoints; force NLA+RDG-CAPS off untrusted WAN blocks.
• Disable SMBv1/NTLMv1; deploy SRP/AppLocker rules to block executables from “%TEMP%\7z*%”, “C:\Users\Public\Libraries”, “C:\ProgramData\Oracle\Java*”.
• SEG or native O365 quarantine: .ISO, .IMG, .VHD(x), .HTA attachments with “invoice” or “scan” keywords.
• Restrict DCOM/RPC traffic at perimeter: allow 135 only to authorized management stations, segment VLANs, enforce Windows Firewall inbound rules.
• Mandatory email-delivered macro & LNK file blocking via GPO.

2. Removal – Clean Rebuild Process

  1. Isolate: Pull network cable / Disable Wi-Fi. Confirm no lateral movement via ARP watch or external storage re-mount.
  2. Boot verifier: Boot from known-clean WinPE / Linux paranoid rescue ISO. Mount infected disks read-only.
  3. Delete artifacts: 
   %ProgramData%\svcmgr.exe  
   %LOCALAPPDATA%\tx6.dll  
   Registry Run keys → HKCU\Software\Classes\ms-settings\shell\open\command  
   ScheduledTask: “AdobeCOMUpdater” -> rundll32 tx6.dll,EntryPoint
  1. Wipe & reinstall: Nuke OS partition; retain encrypted user data for future decryption attempt.
  2. Patch baseline before restore. Re-enable AV/EDR with EnableNetworkProtection=1.

3. File Decryption & Recovery

  • Can Files Be Decrypted?
    No decryption without paying ransom. Dcom encryption is Curve25519-ransom-AES256 (stream mode), keys discarded locally.
  • Free Decryptor / Checker:
    Use DcomDec-Integrity-Utility (Kaspersky NoMoreRansom project) to verify if your variant is covered—currently NOT. It only flags whether encrypted blobs match known cipher signatures.
  • Don’t yet wipe backups: Cloud immutable backups (Azure Blob soft-delete ≥ 30 days, or AWS S3 ObjectLock FAIL-GUID 16 continue-on-error) remain the only reliable path.
  • Shadow Volume strategy: Dcom deletes shadow copies via “vssadmin delete shadows /all /quiet”. If backup<|reservedtoken163821|>