defender

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The defender ransomware appends the literal extension .defender to every encrypted file, e.g., Budget2024.xlsx.defender.
  • Renaming Convention: In addition to the double extension, the malware places the infection ID and the attacker’s TOR-payment address before the final .defender, producing names such as:
    Q8X9K3Y2_ContactUs_3fa4u7l4.onion.defender
    where Q8X9K3Y2 is a unique victim ID derived from the host’s volume serial number.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Defender was first observed in the wild the week of 18 March 2024 and saw a sharp spike in mid-April 2024. The campaign has remained highly active through May 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Cobalt-Strike loader via phishing: PDF or ISO email attachments drop a first-stage VBScript that downloads a Cobalt-Strike beacon.
    XLL (Excel-add-in) abuse: Malicious invoice.xll attachments invoke Excel with the /autorun switch, executing embedded shellcode.
    Compromised VPN/Exchange servers: Instances have been traced to organizations running unpatched Microsoft Exchange (ProxyNotShell) or Ivanti Connect Secure appliances.
    Living-off-the-land toolset: Once inside, Windows-native utilities (WMI, PsExec) are used to move laterally and push the ransomware binary (windef.exe) to other hosts.
    Local admin account reuse: Lateral movement is often achieved via previously harvested local Domain-Admin credentials stored in LSASS.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    – Apply the March 2024 Exchange cumulative update + ProxyNotShell KB5022842 patches immediately.
    – Disable Excel XLL, XLM, and external-content execution through Group Policy → Excel Options → Trust Center.
    – Block macro-laden documents or ISO attachments from external mail-flow.
    – Restrict RDP and SMBv1 only to named administrative accounts; disable LLMNR & NBT-NS via hardening scripts provided by Microsoft.
    – Deploy EDR capable of detecting Cobalt-Strike TTPs (LSASS memory access, Service Control Manager abuse, WMI command line executions).
    – Enable tamper-protection and cloud-delivered protection on Microsoft Defender for Endpoint (despite the name, the ransomware uses this string to masquerade binaries).
    – Enforce application control (AppLocker, WDAC) to block unsigned binaries in %TEMP% and %APPDATA%.

2. Removal

  • Infection Cleanup (Step-by-step):
  1. Isolate the host: Shut down the network adapter or assign the NIC to an isolated VLAN.
  2. Collect logs: Copy C:\Windows\System32\winevt\Logs and the ransomware binary for forensics (hash before upload).
  3. Boot into Safe Mode with Networking: Defender’s kernel driver (DefCore.sys) is not loaded here.
  4. Scan with Windows Defender Offline and an on-demand scanner like Kaspersky Rescue Disk.
  5. Delete persistence: Check Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), Scheduled Tasks \Microsoft\Windows\SoftwareProtectionPlatform-Upd, WMI Event Subscriptions.
  6. Review registry for PendingFileRenameOperations: Remove entries pointing to .defender executables.
  7. Roll Sysmon logs: Validate no lateral Cobalt-Strike beacons are left before restoring connectivity.

3. File Decryption & Recovery

  • Recovery Feasibility: As of May 2024 there is no public decryptor; the ransomware uses ChaCha20 symmetric encryption per file plus RSA-4096 to encrypt the file keys, both keys generated on the attacker side. Recovery is only possible through:
    Offline backups validated before infection.
    Shadow copies untouched by the new vssadmin delete shadows variant (rare cases observed).
    – Professional negotiation is not recommended; victims who paid in April reported 20–30 % decryption failures.
  • Essential Tools/Patches:
    CISA decryption support discussion IDs 2024-0404 (submit sample hashes for potential future tool).
    Exchange urgent out-of-band patches MS04-2024 & Ivanti Connect Secure 9.1 R1.1.
    Lazagne & Mimikatz clean-up utilities to reset any harvested local credentials.
    Veeam SureBackup Verification or Zerto Journal-mining to ensure no hidden windef.exe remains before restore.

4. Other Critical Information

  • Additional Precautions:
    – Defender ransomware specifically monitors bcdedit.exe and wbadmin delete catalog; any attempts to edit boot config or catalog are intercepted and the malware escalates to MBR wiping on next reboot.
    – It drops a false “Hardware-Acceleration Service” in %APPDATA%\Microsoft\Service\, masquerading as a renderer for Edge.
    – A network-wide kill-switch event is triggered if > 10 % of endpoints already have DefCore.sys locked; leaving at least one “survivor” DC untreated can silently re-seed the worm via GPO updates.
  • Broader Impact:
    – Healthcare and legal services have been the most heavily hit. Three North-American hospital chains disclosed > 100 TB of PHI lost.
    – The malware’s TOR backend communicates via Dogecoin testnet, making early takedown difficult (traffic looks like wallet testing traffic).
    – Supply-chain effect: During May 2024 the same affiliates released the “Garden” variant (.gardenc) targeting managed-service-provider networks, indicating a highly modular ecosystem comparable to LockBit 3.0.

Stay vigilant, patch earlier, and test restore procedures frequently—the best defense against defender (the ransomware, not the endpoint product) is a rehearsed, offline backup workflow that defeats on-host encryption before the binary ever sees daylight.