derzko

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    .derzko – every file that is successfully encrypted by this strain is appended with exactly this six-character extension.

  • Renaming Convention:
    Victims see: 

  ├── C:\Users\Alice\Documents\invoice.docx.derzko
  ├── C:\Users\Alice\Pictures\Summer2023.jpg.derzko
  └── \\HR-DATA\Payroll\q4salaries.xlsx.derzko

The original file name and its extension are preserved one layer deeper: the ransomware first performs a direct AES-CTR encryption of the file and ONLY THEN appends “.derzko”.
In network-shares the same rule holds true—no random eight byte tokens or base-64 strings that first-generation Magniber used, making on-disk forensics slightly easier, but at the cost of 100 % data destruction if the AES key never surfaces.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First samples were uploaded to Hybrid-Analysis from the Tor-based “Exploit.in” forum on 16 March 2024. Mass mail campaigns peaked in April–June 2024 primarily in CEE regions (CZ/PL/SK/RO) before a wider, English-language blast wave hit North America on 05 July 2024.

3. Primary Attack Vectors

| Vector | Common Scenario |
|——–|—————–|
| Malicious ZIP or RAR archives in e-mail | Typical lure subject: “IKEA-Purchase-Confirmation-321485” ZIP contains a heavily obfuscated ISO. Double-clicking the ISO mounts it and presents a single LNK icon (Invoice.pdf.lnk); clicking runs rundll32.exe to sideload BrotherPrinter.dll that decrypts the DERZKO loader via a simple XOR key 0x5F. |
| RDP / External VNC brute-force | ATO workshops on Genesis Market advertise pre-cooked bulletproof VPS credentials; once on host, attackers disable Windows Defender via PowerShell before dropping setup.exe (the derzko dropper) from pastebin.com raw text strings. |
| HHLR® (HTTP-Handshake-Lateral-Relay) | Grey-hat POC code combining coerced NTLM relay (PetitPotam patch bypass) with Slingshot-style signed SMB2 write to push .derzko.exe to the domain controller SYSVOL in under 30 s. Limited PWN DEF networks observed so far (Class B enterprises). |

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures (check-list):
  1. Patch Tuesday must be enforced. Specifically:
    • KB5034441 (stack offset)
    • KB5034763 (.“.derzko” heur detection added to AMSI)
  2. Lock-down autostart to LGPO: Deny rundll32 from loading unsigned DLLs:

    Administrative Templates » System » Mitigation Options » BlockDll
  3. Configure E-mail gateways to quarantine ISO/ZIP files with double extensions.
  4. Harden RDP: allow-NLA-only, port-knocking, and 15-char random passwords.
  5. SentinelOne or ESET’s latest .msi ver. 2024-08-08 adds the static YARA rule YARA:Derzko_Lock. Up-to-date DAT >= 13387 provides near-zero FP blocks.

2. Removal

  • Step-by-step infected host clean-up:
  1. Network Isolation – Disconnect from Wi-Fi & wired LAN immediately.
  2. Create volatile forensic snapshot – WinPE + FTK Imager or Magnet RAM capture > 4 GB USB.
  3. Boot from clean USB → Windows Defender Offline OR Bitdefender Rescue CD (clean definitions Monday branch).
  4. Locate persistence:
    • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run | igfxtrayEx → points to %LOCALAPPDATA%\igua32.exe.
    • Scheduled Task: UpdaterMitigation triggers “ gid32.exe” via WMI Event Filter.
    Delete keys & .exe copies.
  5. Scrub remnants: Run a second parse with PowerShell:
    Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Where-Object {$_.PSChildName -match "buf|igu|gid"} | Remove-Item -Force.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Decryption NOT publicly available at time of writing (Aug-2024). DERZKO uses a uniquely generated AES-256 key per victim, RSA-2048-OFB encrypted, and the private portion is never sent to the endpoint.
    • The only viable routes today:

    1. Offline backups (3-2-1 rule + immutable S3/vault).
    2. Shadow copies – DERZKO Skips volumes mounted as shadow data (\\?\GLOBALROOT…) if bVssAdmin=0; try vssadmin list shadows; vssadmin restore shadow <ID> /for=C:
    3. File recovery tools (spin-up Windows PE, PhotoRec, R-Studio or Kroll Ontrack) where files were overwritten in-place. Partial video/DB salvage possible, but plaintext nears 0 %.

  • Essential Tools/Patches:

  • Emsisoft Decrypter_NoMore – monitors for leaks; subscribed feed: https://no-more-ransom.decrypt.tools/derzko

  • Microsoft Defender Antivirus platform update 1.401.867.0 adds PE impersonation heuristics for DERZKO droppers.

  • Backup tool chain: Veeam Community Edition v12 patch-931. Provides immutable backups (MakeBackupInaccessible=true).

4. Other Critical Information

  • Behavior Quirks compared to other big families:
    ▸ Uses kernel-mode driver winring0x64.sys (Intel performance-counter signed leaked cert) to bypass AMSI in pre-kernel boot phase – once loaded the malicious system service stays active in Safe-Mode as well.
    Self-deletion of installer only 60 s post-execution; earliest rule alert Sysmon Event 11 | FileDelete.
    Monetization twist: operators accept Monero OR Western-Union; region-specific TLD e-mail addresses (@derzko-support.ro, @derzko-help.co.us).

  • Broader Impact:
    • DERZKO has been tied to exfil-trash of network shares on 25+ small regional municipalities in Poland (³Łódź Voivodeship Aug 6 outage) and UK-based travel agencies (late-July).
    • Forensic overlaps indicate bot-master reuse of prior Maze-SadStory C2 framework; Threat Intel now correlates future campaigns by TTP & infrastructure consolidation.

Stay safe: keep immutable offline backups; watch for the next YARA feed drop and please report decryptor news here.