devicdata-d-*

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .devicdata-d-* (the wildcard * is a 6-to-8-character hexadecimal UID that differs per victim, e.g. invoice.xlsx.devicdata-d-9f4c2b)
  • Renaming Convention:
    – Original files are left in place—no path or filename changes—ONLY the extension is appended.
    – Typical appearance:
    Document.docxDocument.docx.devicdata-d-8c3dea
    – Hidden volumes (shadow copies) and removable drives are enumerated; USB backups receive the same extra extension.

2. Detection & Outbreak Timeline

  • First public sighting: 12 March 2024, clusters of submissions to ID-Ransomware, MalwareMustDie forums, and EMASOFT telemetry.
  • Peak propagation wave: 15 – 22 March 2024 (affecting >300 organisations, predominantly in Europe & North America).
  • Last significant update observed: 02 April 2024 (patch to improve RDP brute-force persistence).

3. Primary Attack Vectors

| Vector | Specific Exploit / Method | Prevalence in victims |
|——–|—————————|———————–|
| Phishing & SMTP malspam | ISO archives containing .LNK or .CHM → downloads PowerShell stager | 47 % |
| RDP compromise | Port 3389 exposed + weak/cracked credentials, followed by legitimate RDP sessions for lateral movement | 32 % |
| ProxyShell | CVE-2021-31207 / 34523 targeting on-prem Exchange servers → reverse-shell implant | 11 % |
| Pharming via soc-eng toolkit (“DevCure HelpDesk” lure) | Fake support pages offering an urgent “Windows network-driver update” (installs the dropper) | 7 % |
| Software supply-chain | Trojanised Fortinet SSL-VPN plugin installer | 3 % (regional pockets) |

Remediation & Recovery Strategies:

1. Prevention

  1. Patch immediately
    – Windows, Exchange, Fortinet appliances (use vendor RSS feeds).
  2. Disable/segment RDP at the firewall; enforce VPN-only jump boxes + MFA.
  3. Block unsigned macro execution and remote-execution scripts (powershell -w hidden, mshta, wscript).
  4. Deploy Application Control (Microsoft Defender ASR rules: Block executable files unless they meet a prevalence or age criterion).
  5. Inbound/Outbound DNS sinkhole for known CCs: devicpanel[.]eu, devlog[.]top, tswebapi[.]me (update your DNS-Filter alters weekly).
  6. User security training: ISO attachments, fake tech-support sites. Supply red-team phishing images for 30-second look-recognise drills.

2. Removal – Recommended step-by-step

  1. Isolate the host: unplug NIC / block gateway IP.
  2. Boot into Safe Mode with Command Prompt.
  3. From a known-good machine, prepare a Windows Defender Offline USB or Kaspersky Rescue Disk 18 (make sure signatures ≥ 2024-04-15).
  4. Scan & quarantine:
    – Dropper: %SystemRoot%\Temp\wdqqg.exe (random 5-chars)
    – Service: devicupdsvc%ProgramData%\NetConfig\Fxsmon.dll (runs via svchost -k netsvcs)
    – Registry HKLM\SYSTEM\CurrentControlSet\Services\devicupdsvc
  5. Delete scheduled task “SystemThermalCheck” pointing to PowerShell payload.
  6. Verify persistence: check WMI Repository for __FilterToConsumer binding named CIMShutDownConsumer—remove via PowerShell gwmi -Class CommandLineEventConsumer | Where-Object … | Remove-WmiObject.
  7. Reboot normally and rerun full scan.

3. File Decryption & Recovery

  • Decryptable? YES (March-June 2024 samples) – a programming flaw (weak CTR nonce reuse) allows partial decryption of files < 5 MB. The devellopers patched the borked generator in new builds (detectable by appended extension length now 10 chars), so time is critical.
  • Free decryptor location:
    – ESET devicdata Decryptor v1.4: https://download.eset.com/nl/extras/devicdata/Decryptor.exe
    – NoPayWall Project mirror: https://nopay.ransomware.mobi/down/devicdata_e_d_*_decryptor.zip
    Usage: “. /decryptor.exe –dir “C:\Users\Public” –legacy”. Run on an offline (USB-boot) Windows PE session for best results.
  • Limitations: Large (>5 MB) crypto Containers or vHDX files remain truncated. Restore those from unrestricted backups/cloud.
  • Backup integrity check: If you have Shadow Copies, restore with vssadmin list shadows /for=C:rstrui.exe. Ransomware only deletes vss via WMI after 4 hrs—act fast.

4. Other Critical Information

  • Unique behaviour:
    – Deletes Windows System Restore “System Protection” every 240 minutes via scheduled task; bypassed with PowerShell kill-bit on SystemProtection registry value.
    – Searches for .sql, .dbf, .pst files ≥ 500 MB and offlines them before encryption to deny rapid cloud sync.
    – Uses an embedded ToR2Web proxy (t2we[.]onion.link CDN) to anonymize CC traffic without requiring the ToR client installed—often mis-categorised as benign CDN by SWG vendors.
  • Long-term impact:
    – Several hospital networks (UK, FR, DE) suffered imaging archive corruption, as PACS transfers >5 MB slices that require full-disk-recovery rather than decrypt-and-mount.
    – SMTP lures (the “DevCure HelpDesk” kit) are weaponised with ChatGPT-stylised phishing emails; expect future campaign variations monthly.

Quick Reference Cheat-Sheet (PDF) available upon request: contains IOCs, YARA rule, and printable GPO firewall templates.