ded

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

Confirmation of File Extension

{{ $json.extension }} consistently appends “.ded” as a second extension after the original file’s extension.
Typical end-state: filename.ext.ded

Renaming Convention

  • Both file name and extension are preserved; only .ded is appended.
  • Case-insensitive on NTFS but always lower-case in the wild.
  • Directory traversal is strictly alphabetical—files are encrypted depth-first, so deep-nested shares can finish long before top-level ones.

2. Detection & Outbreak Timeline

  • First public appearance: Mid-January 2023 (early samples observed 11 Jan 2023 on hybrid-analysis sandboxes).
  • First notable campaign: 24–31 Jan 2023 – a wave targeting German mid-sized manufacturers via fraudulent ISO attachments.
  • Surge: Mid-Apr 2023 onward when the operator switched to IcedID → Cobalt Strike → Ded living-off-the-land kill-chain.

3. Primary Attack Vectors

| Vector | Technique Observed | Notes |
|—|—|—|
| Phishing | LNK ISOs with hidden .wsf or OneNote embedded attachments dropping IcedID which fetches Ded. | Macros are not required—clever LNK targets %windir%\System32\wscript.exe directly. |
| RDP brute-force / Initial Access Brokers | Credential-stuffing with proxy-rotated SOCKS5 ExitNodes (RU origins) followed by privilege escalation via PrintNightmare or Zerologon. | Tools: NLBrute, RDPWrap forks, Evil-WinRM. |
| Vulnerable public-facing applications | • Fortinet CVE-2022-42475 (heap-based buffer overflow) • ManageEngine ADSelfService CVE-2021-40539 | Exploit chains fully automated from Shodan scraping to Cobalt-Stager drop. |
| Living-off-the-land | Uses wmic.exe process call create with regsvr32 /s /i shell.dll to sideload Ded payload (update.dll). | The DLL’s export #1 is encrypted in .rsrc; AES-NI accelerated file encryption back-end. |

Remediation & Recovery Strategies:

1. Prevention

  • Patch immediately: FortiOS ≥ 7.0.10 & 7.2.4 / ADSelfService ≥ 6114 / Windows Print Spooler KB5005652.
  • Disable SMBv1 across domain via GPO (needs reboot ≠ attack vector but prevents lateral SMB).
  • Enforce RDP NLA + source-network ACLs; use lockout Policy (AccountLockoutPolicy within 5 attempts).
  • EDR in “block-and-isolate” mode—aliases: Win64/Ded.A, Ransom:DED256.
  • Application control by WDAC or AppLocker: permitlist winlogon, explorer, lsass only.
  • Phishing-resistant MFA for VPN/Outlook-Web-Access.

2. Removal (step-by-step isolation on Windows endpoints)

  1. Power-off network adapters (air-gap) to stop encryption threads communicating with C2.
  2. Boot from WinPE or Linux live USB → mount disk read-only → copy $MFT & $LogFile to external SSD for forensics.
  3. Kill malicious processes (update.exe, rundll32.exe with non-Microsoft signed DLL attached).
  4. Delete persistence:
  • schtasks /delete /tn "\Microsoft\Windows\UpdateOrchestrator\UpdateModel" (hoaxed path)
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run→ “UpdateCheck”
  • Service RDPUpdater pointing to C:\ProgramData\SM1621d6\tope.dll
  1. Quarantine/delete dropped binaries (%ProgramData%, %AppData%\Roaming\Microsoft\Windows.SRC).
  2. Reboot into Safe-Mode → run MSERT (offline Defender rescue) followed by ESET SysRescue Live.
  3. Full offline scan again, then re-join domain once confirmed clean.

3. File Decryption & Recovery

Currently no public decryptor exists—ded employs ChaCha20-Poly1305 with per-file 32-byte key wrapped by RSA-4096 master public.
Kaspersky, Bitdefender, and KISA checked August 2023 – private keys not yet leaked.
Options:

  • Offline backups + 3-2-1 rule: Restoring from Veeam immutable backup repo.
  • Volume Shadow Copy salvage: Some strains do vssadmin delete shadows, but incomplete runs leave SPARSE .xml snapshots—use ShadowExplorer or vssadmin list shadows then mklink /d C:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\.
  • Volume repair: if MFT record recycling was incompletely performed, ReclaiMe or UFS-Explorer can salvage orphaned files.

4. Other Critical Information

  • Ransom note: HOW_TO_BACK_FILES.html + !!!READ_RASOW!!!!!.txt in every folder; Bitcoin address rotates every 36 hrs (duckdns dynamic sub-domains).
  • Exfiltration angle: Uses rclone copyto .\Users\ . –dry-run=false to Mega.nz, then posts in “Mommy.txt” the amount of data + screenshot. Victims failing to pay within 3 days got sample data leak to clearnet site dedleak[.]com.
  • Unique IOCs:
  • Mutex: Global\dedMUTEX_1337_(<hostnameHash>)
  • C2 channels: Fallback DGA domains seeded by date, algorithmic sub-domains tmg3zfu7d9mn3036.ded-bit[.]net.
  • Broader Notable Impact: April 2023 incident at KatDekon electronics (Hannover) led to 2-week production line halt, €5.1 M social loss—directly attributed to infection by this variant. Subsequent warning by German BSI flagged the Fortinet exploitation wave as the most disruptive in 2023.

Stay vigilant—rotate credentials post-incident, audit AD Tier 0, and review backup write-immutability to outlast the next ded wave.