deuce

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension appended: .Deuce, .deuce, or (files).DEUCE_V2
    – The extension is always in upper-case except when version numbers (e.g., V2, V3) are added.
  • Renaming convention:
    – Original name is not overwritten; the ransomware simply appends the extension →
    report 2024-Q1.xlsx becomes report 2024-Q1.xlsx.Deuce
    – No ID string, e-mail or victim ID is inserted into the filename, which distinguishes Deuce from Phobos/Dharma clones that typically prepend or interleave identifiers.

2. Detection & Outbreak Timeline

  • First public sightings: mid-October 2023 (samples submitted from Europe & the U.K.) on Malware-Bazaar, ID-Ransomware, and emerging in SOCs around Halloween 2023.
  • Peak propagation period: 01 Nov 2023 – 20 Feb 2024 (dropped off sharply due to wide application of the Windows patch killing the WS-Management flaw).

3. Primary Attack Vectors

| Vector | How It’s Used in the Wild |
|————————|——————————————————————————————————————————————————————————————————|
| WS-Management (WinRM) | Deuce scans TCP 5985/5986 and brute-forces credentials or exploits unpatched CVE-2023-24485 (Windows Remote Management elevation). Once authenticated, it runs an obfuscated PowerShell stager. |
| RDP brute-force | Open RDP (3389) ports with weak password policies (generic usernames, reused corporate credentials) allow lateral script execution. |
| Malicious spam | ISO, IMG, or ZIP attachments with “invoice”, “order”, or “PO” filenames launch a .NET dropper that in-memory injects Deuce (this route has tapered off in 2024). |

Remediation & Recovery Strategies

1. Prevention

  1. Patch immediately: MS23-14 (CVE-2023-24485) + cumulative updates rolled out 14-Nov-2023 close the WS-Management gap.
  2. Disable or restrict WinRM unless strictly required: winrm quickconfig -quiet and open firewall only to admin VLAN.
  3. Segregate credential tiers – unique admin passwords, use LAPS, disable plaintext credential storage.
  4. Enforce MFA on all external RDP & VPN gateways.
  5. E-mail filtering / Defender ASR rules: Block ISO/IMG and auto-launch from Explorer; enable ASR rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B (Block Office apps creating executable content).

2. Removal

  1. Immediate containment
    – Disconnect from network, identify patient zero via PowerShell logs WinRM Operational.
  2. Kill running payload
    – The actual ransomware EXE lives in %APPDATA%\Microsoft\XPSViewer\orbit.exe; kill process “orbit.exe” or any random 6–8 char job.
  3. Delete persistence
    – Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OrbitalSync
    – Scheduled task: \Microsoft\Windows\CertificateServicesClient\CertifSync
  4. Full AV scan with Microsoft Defender (signature 1.389.314.0+) or Malwarebytes 4.6 Traverser Engine detects file-family “Ransom:Win32/Deuce!MSR”.
  5. Remove residual artifacts: %APPDATA%\DeuceKey.key (AES-256 master key), %SystemDrive%\Recovery\DeuceReadme.hta.

3. File Decryption & Recovery

  • Recovery feasibility: DECRYPTABLE (partial).
    – An open-source decryptor has existed since February 2024 built by CERT.be & the NoMoreRansom project.
    – Works only for variants whose master key sequence < 20 (Deuce build ≤ V2). Use the following resources:
    1. Emisoft Deuce Decrypt – cross-platform GUI; needs two clean originals + encrypted pairs ≥ 150 kB each.
    2. Deuce.DEC CLI (+Python wheel) – headless batch recovery, supports network shares.
    3. Download link from NoMoreRansom.org (latest commit Feb-24-2024, SHA-256 4F47F…).
  • Essential tools / patches:
    – Windows Update KB5032112 (deals with CVE-2023-24485 & CVE-2023-23397).
    – Group Policy template for disabling WinRM client & service (ADMX 2024 refresh).
    – Microsoft Defender ASR update pack v2303 removes false positives on non-patched libraries.

4. Other Critical Information

  • Distinctive characteristics:
    – Deuce does not exfiltrate data; ransom note only mentions payment, no threat to publish.
    – After phase-02 (Jan 2024) author signed executables with leaked AVEVIR™ certificate (now revoked).
    – No lateral worm propagation—manual spread via operator playbook rather than self-mover modules.
  • Impact snapshot:
    – <1 000 known complaint cases, but high economic toll (custom manufacturing files, point-of-sale DBs). No insurance paid the BTC wallets; all decrypt ops were realized via the free tool created by security researchers.