deus

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by the DeusCrypt / Deus family receive the fixed, five-character suffix “.deus”.
  • Renaming Convention:
    Example: Annual_Report_2023.docxAnnual_Report_2023.docx.deus
    Victims who already had a file tagged once by a prior variant (e.g., .djvu, .drweb, .lesli) will see a double or triple extension such as
    picture.jpg.djvu.deus or file.xlsx.lesli.djvu.deus.
    The attackers do not alter the original file name itself beyond appending .deus, which makes quick volume-wide identification via *.deus searches trivial.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    – First public submission of a .deus sample and ransom note occurred on 12 February 2018.
    – A moderate spike in infections was observed between February 2018 and April 2018 in Eastern-European countries (primarily Russia, Ukraine, and Belarus) before circulation tailed off by mid-year. No new active campaigns have been verified since late 2018.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Spear-phishing with macro-laden Microsoft Office attachments (“Invoice”, “Payment Confirmation”, etc.).
  2. Exploitation of compromised web servers hosting fake software cracks or free game launchers, bundling the payload as an embedded dropper.
  3. Brute-forced and poorly-secured RDP endpoints (standard TCP 3389) followed by manual payload push.
    The installer leverages WMI/PowerShell to download and run secondary payloads, after which Deus encrypts using an offline AES-256 + RSA-2048 routine and plants READ_IT.txt (ransom note). No propagation across SMB or EternalBlue is known.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    – Disable Office macros for all users unless digitally signed by a trusted CA.
    – Patch and close RDP to the public internet; enforce Network Level Authentication (NLA) and lockout policies.
    – Enable Application Control (Windows Defender ASR rules, AppLocker, or equivalent) to block unsigned executables and PowerShell launch from %TEMP%.
    – Enforce daily, offline, image-level backups with ≥30-day retention and perform regular restore drills.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Isolate the host from the network (Wi-Fi off, Ethernet unplugged).
  2. Boot into Windows Safe Mode or a WinPE / ESET SysRescue USB.
  3. Run a reputable on-demand scanner: Microsoft Safety Scanner, Kaspersky Rescue Disk, or Malwarebytes 4.x+ with “Scan for rootkits” enabled.
  4. Delete all instances of the following:
    • %APPDATA%\{random 8-10 hex chars}.exe (main payload)
    • C:\Users\USERNAME\AppData\Local\Temp\install.exe, *.bat, *.ps1 followed during chain download
    • Associated RUN key in HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce or scheduled tasks named WinSystemUpdate.
  5. Re-operating-system (“Nuclear Option”): if doubt lingers or lateral movement suspected, wipe the OS partition, re-image from verified clean backups.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Decryptable offline variant. The RSA-2048 key used in early campaigns reused a small pool of static offline keys. Kaspersky’s open-source Kaspersky RakhniDecryptor (v1.24.05+) and Emsisoft’s DeusDecrypter (v2.0.0.8) exploit the flaw.
    Process:
  1. Make an offline copy of the encrypted data before any attempts.
  2. Download the decryptor from the legitimate vendor page (SHA-256 verified).
  3. Launch with Administrator rights, point it to the root drive letter or a test folder, and allow it to search for intact READ_IT.txt (contains the victim ID) in every directory—this helps the tool link the correct RSA key.
  4. Decryptor creates .bak copies automatically; if 100 % success is achieved, tools offer batch cleanup.
    If your variant adopted a newer embedded key, tools may not find a match—in that case, turn to backups or data-recovery specialists.
  • Essential Tools / Patches:
    – Microsoft KB4056890 (Meltdown/Spectre microcode; indirectly blocked some signed-but-bad drivers used by early dropper campaigns).
    – Windows KB4074610 & KB4057239 (SMB server hardening) although not directly exploited by Deus.
    – Ensure native Windows Credential Guard is enabled on Enterprise editions (mitigates lateral movement via token theft).

4. Other Critical Information

  • Unique Characteristics:
    – Double-extension “disease vector”: prior infections with Troldesh (.djvu/.lesli) were re-encrypted by Deus, presenting investigators with forensic artifacts of sequential ransomware on the same volume.
    – Uses a bizarre BMP splash wallpaper (WindowsUpdate.jpg) at %PROGRAMDATA%\ featuring a hybrid Russian/Italian slogan “Non pagare niente è possibile!”, which caused it to be mis-classified in community spreadsheets under Italian-based scare campaigns even though threat actor appear to be Russian-speaking.
  • Broader Impact:
    – While never reaching notoriety levels of WannaCry or Ryuk, DeusCrypt’s existence underscored the monetization of previously infected hosts and highlighted the practice of re-selling/leasing infrastructure, leading to a new class of “meta-ransomware” operators that triple-encrypt earlier victims.

Remain vigilant: archive incident samples for future IoC enrichment, and treat any still-running .deus endpoints as warning lights that broader compromise (RDP/weak brute-force) may be ongoing.