deeep

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .deeep
  • Renaming Convention: Files are renamed in the pattern
    original_name.ext.id-XXXXXXXX.[[email protected]].deeep
    where XXXXXXXX is an 8-digit host identifier. Folders receive a text file named info.hta that auto-launches via the Windows HTML registry handler every time the folder is opened.

2. Detection & Outbreak Timeline

  • Initial Appearance: The #STOP/#Djvu fork that appends .deeep surfaced in December 2021 campaigns concentrated on software-piracy sites (keygens, warez) before pivoting to malvertising and fake browser-updates. Outbreak spikes occurred around:
  • 26-28 Dec 2021
  • 05-09 Jan 2022
  • re-surgence mid-July 2022 via cracked “MS Office 2021” torrents

3. Primary Attack Vectors

  • Top Infection Vectors (in order of prevalence):
  1. Cracked software bundles (keygens/auto-activators): KMSAuto-minimal.exe, Adobe-All-Gen.exe, VPSKEY.dll loaders.
  2. Fake update sites pushing browser update pop-ups (“Chrome_Release.exe”, “Firefox-patch.js”).
  3. SmokeLoader & QakBot follow-up stages dropping the final .deeep payload.
  4. RDP brute-forcing (secondary) – observed on mis-patched Windows 7/2008 R2 systems.
  5. Exploit kits (occasional): RIG-E using IE 0-days (CVE-2021-40444) and later leveraging Follina (CVE-2022-30190) to decoy Microsoft Office documents.
  • Elevates to SYSTEM via JuicyPotato or cmstp.exe bypass. If executed on a domain controller it exfiltrates the NTDS.dit shadow copy using VSSAdmin.

Remediation & Recovery Strategies:

1. Prevention

  1. Block cracks/pirated software at the edge – maintain strict web filtering for TLDs .ru, .su, .biz hosting warez.
  2. Disable script host for HTA files:
    reg add "HKLM\SOFTWARE\Classes\htafile\shell\open\command" /ve /t REG_SZ /d "\"%SystemRoot%\System32\Notepad.exe\" \"%1\"" /f
    (breaks the info.hta auto-launch).
  3. Patch/Disable SMBv1, enable Credential Guard, force NTLM-Hashed passwords ≥15 characters.
  4. Application Whitelisting using Windows Defender Exploit Guard (WDAC) – block unsigned EXEs/DLLs from %USERPROFILE%\Downloads.
  5. Deploy EDR with Memory Protection (Djvu family static rules).

2. Removal

# 1) Isolate host (power off Wi-Fi / unplug NIC)
# 2) Boot to a Windows PE or Safe-Mode-with-Networking
# 3) Run Autoruns → untick malicious scheduled task "Time Trigger Task"
# 4) Live-kill the running instance:
Get-CimInstance Win32_Process | Where-Object {$_.CommandLine -match "rand1_*.exe|syshelper_*.exe"} | Stop-Process -Force
# 5) Remove persistence:
Remove-Item "C:\ProgramData\SystemIF\updatewin.exe","C:\Users\Public\runme.exe" -Force
# 6) Clean Registry chaos:
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SysHelper" /f

3. File Decryption & Recovery

  • Decryption Feasibility:
  • Offline IDs (begin with t1) → can be decrypted for free with Emsisoft Stop Djvu Decryptor (v1.3.1.0 or newer).
  • Online IDs (start with t2) → symmetric AES key is unique per victim – no free decryptor unless Project-Validus leaks release their private RSA-1024 key in future.
  • Cloud Shadow Copies: Check vssadmin list shadows. If not purged, mount a shadow copy (diskshadow or 3rd-party tools) to recover earlier versions.
  • Volume-replication services (OneDrive/SharePoint) – this ransomware does not currently nuke cloud versioning; restore via Microsoft 365 retention policies (90 days by default).
  • Essential Tools:
  • Emsisoft Decryptor https://decryptor.emsisoft.com/stop-djvu
  • Bitdefender Ransomware Recognition Tool (beta rules for .deeep)
  • Latest KB5010342 (OS build 19044.1526) or higher on Windows 10/11 to close CVE-2022-30190.

4. Other Critical Information

  • Unique Traits:
  • Files < 150 KB are skipped; small templated documents will survive unencrypted.
  • Performs double-extortion but does not leak data publicly. It encrypts then deletes original files leaving 0-byte placeholders to ensure no recovery via carving.
  • Leaves IoCs in the Windows Event Log under Event ID 4722 (user account created) with names like _r1z_ (underscore-zero sequence).
  • Broader Impact:
  • .deeep campaigns have aligned with the Djvu Rebranding Spree (#2019-onwards); they rapidly re-skin to avoid YARA/AV detection while re-using Stop-Djvu infrastructure.
  • Sectors repeatedly hit: hobbyists/gamers downloading cracks, small MSPs patching RDP late, and Ukraine-based NGOs receiving “patch translations” lures.

Maintain immutable offline backups (WORM tape or S3 Object Lock) because new offline IDs are still surfacing monthly, and Emsisoft’s decryptor only covers pre-collected key leaks.