dedsec

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The DedSec ransomware appends “.dedsec” (case-insensitive, lowercase in most samples, uppercase variations observed) to every encrypted file.
  • Renaming Convention: Files are first encrypted entirely, then renamed in one of two observed patterns:
  1. <original_filename>.<original_ext>.dedsecdocument.pdf.dedsec
  2. <random_hex_string>.<original_ext>.dedsecA1F32BC8.pdf.dedsec (rotating 6–8-character hex prefix)
    The second variant usually appears when DedSec wipes the original filename table from the MFT after encryption. Directories may also contain a partner file called “Restore_[hexstring].txt” containing the ransom note.

2. Detection & Outbreak Timeline

  • First public reports appeared in underground forums on 20 February 2023, but telemetry indicates limited bursts as early as 26 January 2023 inside European MSP environments. By late March 2023, DedSec pivoted to double-extortion and supply-chain targeting, reaching global visibility. Microsoft Defender signatures (Win32/DedSec.A!dha) were added on 1 May 2023.

3. Primary Attack Vectors

공격 경로

  • Exploitation of Fortinet FortiOS SSL-VPN vulnerability (CVE-2022-42475, CVE-2023-27997) – initial foothold in roughly 38 % of publicly reported incidents.
  • Compromised Citrix ADC / NetScaler gateways – abuse of CitrixBleed (CVE-2023-4966) leading to credential harvesting and remote code execution.
  • Malicious RDP brute-force followed by manual lateral movement with open-source tools (Cobalt Strike, AnyDesk, Rclone).
  • Spear-phishing e-mails with malicious ISO or VHD attachments containing Excel 4.0 or VBS macros (Q2-Q3 2023).
  • Software supply-chain compromise – Trojanized NodeJS package manager updates pushed via typosquatting (npm).

Remediation & Recovery Strategies:

1. Prevention

  • Patch Fortinet & Citrix appliances immediately (see CVEs).
  • Disable SMBv1 and enable Windows firewall egress filtering (TCP 445,135,80,443).
  • Apply WDAC/AppLocker with “block-by-default” policies to prevent executables running from %TEMP% or user Downloads.
  • Enforce MFA on any externally exposed services, especially VPN, RDP, and web consoles.
  • Segment the corporate network; critical servers should reside in their own VLAN without direct internet.
  • Implement EDR/NGAV that can detect memory-only Cobalt Strike beacon stages, ransomware MITRE techniques T1486 & T1027.

2. Removal (Step-by-Step)

  1. Disconnect impacted machines from all networks (wired, Wi-Fi, Bluetooth).
  2. Boot into Safe Mode with Networking (or use Windows RE if the machine fails to boot).
  3. Create bit-level forensic images of OS drives with FTK Imager or duplicati to preserve evidence.
  4. Run comprehensive AV/EDR scan (Microsoft Defender/Malwarebytes/Kaspersky Rescue Disk) – signatures up to at least engine 1.389.x for full DedSec coverage.
  5. Manually delete persistence artifacts via Autoruns64:
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{GUID}
    • Scheduled Tasks “evtsys” & “rackSycling” created by DedSec.
  6. Reset local administrator password and remove any newly created user accounts.
  7. Restore vital OS services that may have been disabled (Volume Shadow Copy: sc config vss start= demand).

3. File Decryption & Recovery

  • Is decryption possible? Generally NO; DedSec uses multi-threaded ChaCha20 encryption with RSA-2048 key wrapping. The private key never resides on the victim side unless law-enforcement seizes servers (still none seized as of 2024-Q2).
  • Possible exceptions:
    – A flaw in early v1.0.22 (February) leaked the RSA modulus via DNS TXT requests; a free decryptor “DedSecDecrypt-fix1.exe” works on those samples (proof-of-concept obtained by @KatieCoProbate).
    – Network backups: If DedSec did not delete shadow copies untouched (<1.0.30 released 12 Apr 2023), test vssadmin list shadows and mount previous versions.
  • Essential tools & patches:
    • Emisoft DedSec decryptor (limited to flawed February builds) – hash-match only at VirusTotal: 62e2a2ae477c70346ba5ad8ee853da2f.
    • SentinelOne “Anti-Ransomware Rollback” can reconstruct files encrypted within the last 72 h if sensors were active.
    • Windows patches: KB5025239 (CVE-2023-27997) and KB5032235 (CVE-2023-4966). Fortinet: FG-VD-23-001, firmware 7.2.6 / 7.4.5+.

4. Other Critical Information

  • Data-dump leak sites: DedSec operates mirror sites ded3sec[.]com, ded4you[.]co & tor2web proxy: dedsec6rbv3a2p.onion. Victims not paying within 120 h see corporate data (~2–5 GB tranches) published.
  • New behaviour in v1.0.40 released 2023-11-21: installs itself into firmware via UEFI rootkit “DedSpy”; traditional AV removals fail. Mitigation = boot to Windows Defender Offline & run “UEFI-restore-sidecar.zip” or wipe motherboard firmware and re-flash with vendor-signed image.
  • SOC monitoring: Look for unsigned drivers with signature “DedSec Sec Co Obj” attempting to load inside kernel space.
  • Wider impact/discussion: DedSec combined supply-chain vector with double-extortion faster than LockBit, causing UK NHS disruptions in March 2023 and US dental firm Q2 breach affecting 2.7 M patients. Thus, patches released in April became de-facto critical patches for 2023-24 compliance frameworks.