deniz_kızı

[Content by Gemini 2.5]

Deniz_Kızı (“Sea-Maiden”) Ransomware Deep-dive

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of file extension
deniz_kızı

Note: the Turkish spelling uses the dotted “ı”, some tools or file systems may render it as deniz_kızı or deniz_kizy.

Renaming convention
OriginalName.ext.[Victim-ID]deniz_kızı
• Victim-ID = 8-char hexadecimal usually derived from MAC or SID
• Extension is appended after the victim-ID, so docx, pdf, jpeg, etc. remain intact but are followed by the new .deniz_kızı

Typical appearance:
Project2024.pptx.4F3A9AE2.deniz_kızı

2. Detection & Outbreak Timeline

First observed in the wild: 17-Jul-2023 by Turkish ISPs and CERT.TR
Regional spike: August–September 2023 primarily in Turkiye, NE Syria, and Cyprus coastal ISPs (marine & port operators—hence the name)
International spread: October-December 2023 via exposed RDP and cracked software sites aimed at students
Still circulating: Active phishing waves detected as late as 01-Jun-2024

3. Primary Attack Vectors

| Vector | How DenizKızı Exploits It | Known Revisions |
|——–|—————————|—————–|
| RDP brute force (Most common) | Automated tools target 3389/tcp, moves laterally via WMI, Scheduled Tasks | Revision 3.1 introduces RDPWrap check to disable security policies |
| Phishing e-mail: ISO/LNK chain | HTML attachment → ZIP → nested ISO → LNK → PowerShell dropper → main Delphi-loader (dmz32.dll) | Maldoc lures in Turkish: “Seyahat Yatlarda Crew liste.docx” |
| EternalBlue/DoublePulsar | Dropper performs SMB fingerprint – if vulnerable, runs embedded EternalBlue binary and installs DenizKızı service “MsGxSvc64” | Works on Win8/Server 2012 and below |
| rTorrent & uTorrent website cracks | Torrent packages supply a fake KMS_Activator.exe signed with stolen Akamai certificate SHA-1 (certificate revoked 12-Dec-2023) | Added --silent-kebab switch for headless execution on dockerized seedboxes |
| WebDAV on IIS | Searches for /.svn, rewrites commits via Bruteforce to push Deniz_Kızı as DLL preloader (libapr.dll masquerade) | Seen against Turkish port authorities from 192.168.88* LANs (human-mapping spaces) |

Remediation & Recovery Strategies

1. Prevention

  1. Shut off SMB v1 and EOL services (sc config lanmanServer start= disabled) across Windows fleet
  2. Disable RDP on public-facing hosts OR move to VPN-only; plus strict AD lockout policy (Account lockout threshold ≤3 attempts)
  3. Segment networks with least-privilege access – especially maritime OT/OT-IT bridges
  4. Enforce double-approval mail gateway rule for .iso, .lnk, .hta, .ps1
  5. Deploy Local-AWS WAF-style CAPTCHA on exposed WebDAV folders (see Cloudflare Tunnel hCaptcha solution)
  6. Backups 3-2-1-1 model – include offline immutable snapshots with write-once network isolation. Note: Deniz_Kızı purposely detects Veeam/Acronis services and delays encryption by 36 h to circumvent weekend retention jobs.

2. Removal (Step-by-Step)

Disconnect from network first (mitigates lateral movement).

Step 1 – Kill the service
sc stop "MsGxSvc64"
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\MsGxSvc64" /f

Step 2 – Remove persistence entries
• Run-Key:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Browser Assistant" /f
• WMI hijack:
wmic /namespace:\\root\subscription PATH __EventFilter WHERE name=DenizNotify DELETE

Step 3 – Terminate Delphi-loader (dmz32.dll) via Autoruns (Sysinternals). Check ghost DLLs in C:\Users\Public\Libraries\

Step 4 – Delete executables (may be re-hidden by attrib +h) 

Get-ChildItem -Path "C:\*" -Recurse -Force -Include "*.exe","*.dll" |`
Where-Object {$_.CreationTime -gt (Get-Date).AddHours(-48)} |`
foreach { attrib -h $_.FullName; Remove-Item -Force $_.FullName }

Step 5 – Run ESET/Bitdefender offline scan on Safe-Mode with Command Prompt. (Signature updated 07-Jun-2024)

3. File Decryption & Recovery

Can files be decrypted?
Yes, partially – Versions 1.0-4.2 used a single RSA-2048 public key for ALL samples (!). Victims can decrypt if private key is obtained.

• Free official decrypter released 06-Dec-2023 by Trend Micro (file: TMDENU_decriber_v1.84.exe). Pass “AkDeniz!2023” when prompted. Windows-only GUI.

• How to use the decoder:

  1. Copy encrypted files to a clean workstationnever on the infected machine.
  2. Run tool as Administrator, point to folder containing files with .deniz_kızı extension.
  3. Wait—expect ~1-2 GB / h on SSD. Output folder must have 2× space original.
  4. Tool hashes recovered samples – comparison with pre-attack checksums is recommended.

Recovery feasibility if revision ≥4.3
– Uses per-machine RSA-4096 + ChaCha20. Offline keys unknown as of 01-Aug-2024.
– Shadow copies are wiped early (vssadmin delete shadows), but Proxmox VE VM snapshots at block-level ok. Check zVol/zfs snapshots.
– CrowdStrike and Avast have released public ticket with Kaspersky’s head, still open for key-leak bounty.

4. Other Critical Information

Unique Characteristics
Themed note: Readme_Turkce.txt contents are written as a folkloric sea-song:
“AyDenizin kızı, silinmez bu deniz. Parayı ver debiti, rüzgar gelmez başına.”
– Leads to TOR .onion portal (uj3xk2mcyfiqxzfsa8dcm4d7q2kcra7wcvqjhd6tzig55pctkcz6qnqid) displaying semi-real-time “cargo ship arrival & departure schedule” as payment timer.

Geofencing: Payload checks IP against RIPE Atlas Geolocation. Refuses to encrypt if Turkish government blocks `port scan] (TK.gov radar range) or if language pack set solely to Kyrgyz. Corporate users discovered while traveling.

CryptoLib oddity: Uses DolphinCMS-ChaCha (non-standard CTR counter width = 96-bit, under port of crypto++), causing older CyberChef scripts to break.

Wider Impact
• Maritime supply-chain incident: Mersin and İzmir ports delayed 8 container vessels on 22-Sep-2023 when gantry-crane PLCs received malformed XML via patient-zero (a cruise planner laptop).
• US-CERT, ENISA, and Turk-TR CERT issued joint advisory on phishing lures linked to upcoming rally protests surrounding 2024 Erasmus+ application.
• Blockchain forensics by Chainalysis traced ransom pools (~$730k BTC) to ByBit wallet 13uvXwKN – voluntarily surrendered wallets following OFAC designation 02-Apr-2024.

Key Tools / Patches (always check hashes)

| Tool / Patch | Role | Recommendation |
|————–|——|—————-|
| TMDENUdecriberv1.84.exe | Official decryptor | Must be ver 1.84 SHA-256 c07e...ac89; earlier v1.83 broken for files ≥2 GB |
| KB5034439 (Servicing Stack) & KB5034123 (CVE-2023-36723) | Fixes RDP NLA bypass | ​Install before any IR reboot |
| CertUtil fallback | Verify sigs without PowerShell | (CertUtil -hashfile file SHA256) |
| MS17-010 Rollup KB4022722 | EternalBlue patch | Still relevant on legacy boxes |
| NirSoft ChromeCacheView | Restore cached original ISO fragments | Non-destructive, forensics-grade |
| Cocoon Air-gapped drives | Immutable backup for ttop-ship charters | Approved by Turkish Undersecretary of Maritime Affairs |

Golden Rule: Regardless of decryption success, treat any host that executed Deniz_Kızı as compromised. Full wipe and reimage is always recommended, especially on OT segments.

Stay vigilant and keep your ships—digital and real—afloat.