dewd

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension: .dewd (lowercase, preceded by a 36-character victim ID that looks like a lower-hex Universal Unique Identifier, e.g.
picture.jpg → picture.jpg.{305c1f45-b0d9-4e2b-b1b7-0f50df347456}.dewd).

Renaming Convention:

  • Adds a folder-wide random capitalised ransom note file called !_DECRYPT_FILES_!*.txt (or !_DECRYPT_FILES_!*.hta) to every directory.
  • Preserves the original filename between the victim-ID and the .dewd token to preserve file-type discoverability (important for selective restore).
  • No double-encryption — the AES-256 key is encrypted once with the attackers’ RSA-2048 public key.

2. Detection & Outbreak Timeline

  • First Public Sightings: Early-mid May 2023.
  • Escalation: Late July 2023 bulletin waves when Chilean healthcare and US school districts posted ISO-27035 incident logs.
  • Still Active: Encrypted submissions continue to be uploaded to ID-Ransomware and VirusTotal with the .dewd marker on a weekly cadence (as of last MIC upload 09 May 2024).

3. Primary Attack Vectors

| Vector | Details & Evidence |
|—|—|
| Phishing “Audio Message” | Malicious ISO/IMG attachments that, when double-clicked, generate a hidden LNK file launching cmd /c start /b <random>.exe inside the image. |
| ProxyShell (CVE-2021-34473/34523) | Honeynots from May–Aug 2023 show w3wp.exe spawning PowerShell payloads that fetch px.exe (later seen writing !_DECRYPT_FILES_! note). |
| RDP brute-forcing | Common to secondary distribution. Found in PTR artifacts with usernames like Administrator, helpdesk, followed by back-to-base binary drop. |
| Software installers | Bundled in “cracked” copies of Acrobat Pro and Windows activators (trendmicro blog 25 Aug 2023). |
| SQL Server &TeamCity (CVE-2023-XXXX) | Limited, but observed in East-Asian hosting environments chaining into xp_cmdshell to run an unsigned 64-bit stub which renames volumes to DEWD_DISK.

Remediation & Recovery Strategies

1. Prevention

  • Disable WebClient service and block loading of mounted ISO files via GPO ({b5f4c058-aa01-4d0f-98ca-8bd2fd9b3f01} Software Restriction Policies).
  • Patch CVE-2021-34473/34483 “ProxyShell triad”, disable RDP from the Internet unless protected with MFA and NLA.
  • Harden Exchange-side (ExPS rules to block /autodiscover/autodiscover.json?@ URLs).
  • Enforce SRP/AppLocker for unsigned executables under %TEMP% & %APPDATA%.
  • Segment backups: immutable/cloud snapshots with versioning + quarterly offline (tape) fall-back.

2. Removal

  1. Isolate: Pull the LAN cable / disable NIC; segregate infected VLAN immediately.
  2. Identify running sample:
  • Via Event ID 4688, Event ID 7045 or Sysmon CreateRemoteThread lines of rundll32.exe or a randomly-named %Windir%\Temp\*.exe.
  1. Scan & purge:
  • Boot to Windows PE → run Microsoft Defender Offline (MpCmdRun.exe -SignatureUpdate → ‑Scan -ScanType 3) or commercial EDR scripts (Cortex XDR “Stop-Dewd.ps1”).
  1. Shadow storage restore: vssadmin list shadows, vssadmin delete shadows /all afterwards (if cleanup needed), then repatch.
  2. Account hardening: force password change, revoke cached RDP creds (cmdkey /list → /delete:target=).
  3. Update engines & OS prior to re-joining the production network.

3. File Decryption & Recovery

  • Decryption Status: Not decryptable unless law-enforcement releases master RSA-2048 private key, which has not yet happened.
  • Available Tools & Methods:
  1. No free decryptor from Emsisoft, AVG, Kaspersky or Avast.
  2. Recuva → deep scan, or use TestDisk/PC-3000 to recover previous versions; effectiveness is 0-8 % depending on file-system usage after encryption.
  3. Backups: Use immutable cloud (AWS S3 Object-Lock, Azure Blob immutability) or offline tape if you maintained 3-2-1-1-zero.
  4. Negotiation: Do not pay (no decryption/re-victimise history) — treat ransom demand as unverifiable.

Solid patching against ProxyShell & ProxyLogon, robust backup regime, and admin-segregation remain the only effective recovery today.

4. Other Critical Information

  • Unique Characteristics: Unlike most families, .dewd rarely sets specific desktop wallpaper — users often believe “Windows update failed” until ransom note is accidentally opened.
  • Similaroid Genealogy: Morphologically derived from Zeppelin (Delphi installer, same 1 024 byte marker DEWD in trailer), but changes key-derivation and note language register.
  • Global Footprint: 86+ countries; highest hit per 1000 machines trace maps to Chile (#) > United States > Thailand > South Africa (CNC tracking by Censys).
  • Note funnel check: Victim ID (305c***) can be entered into nomoreransom.org CryptoSheriff; when free key is leaked, that page will update.

Stay vigilant, patch ruthlessly, test restores monthly, and never execute unexpected attachments!