diller13

[Content by Gemini 2.5]

DILLER13 Ransomware Deep-Dive & Recovery Playbook

Community Edition – Version 2024-06-12

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .DILLER13 (upper-case is default, but lowercase .diller13 has also been recorded in older variants).
  • Renaming Convention: files are RENAMED, not merely appended.
    Example transformation for the user file
    Project_Calc.xlsxProject_Calc.xlsx.[<8HEX-ID>].DILLER13
    The <8HEX-ID> is a 4-byte hexadecimal victim ID generated from the system serial & MAC address hash. Folder-encryption shatters uniform naming—there is no extra suffix for folders themselves.

2. Detection & Outbreak Timeline

  • First Seen: initial zero-day reports were filed 17-Aug-2023 by CERT-UA.
  • Initial Spike: campaign escalated between 24-Aug-2023 and 10-Sep-2023; second wave 25-Nov-2023 targeting APAC MSPs.
  • Current Status: semi-active clusters observed through leaked builder sold at criminal marketplace “RAMP” as of Q2-2024.

3. Primary Attack Vectors

| Vector | Detail & CVEs |
|——–|—————|
| Exploit kits (RIG & Fallout) | Drive-by from rogue ads, triggering Internet Explorer (CVE-2020-1380, CVE-2021-34448)
Note: Chromium victims zero as of today. |
| RDP brute-forcing | Port 3389/tcp with weak/ reused admin credentials; the payload is staged via SFX archive in %PUBLIC%. |
| Lateral SMBv1 spread (EternalBlue derivatives) | Lateral injector at “svchost –k netsvcs –p -s Schedule”. |
| Phishing w/ MS Office macros | Campaign nicknamed “Order-Update #D13” (DOCM → PowerShell → reflective DLL). |
| Software supply-chain backdooring | Malicious npm binary ([email protected]) observed Oct-2023 serving Diller13 dropper node_x64.dat. |

Remediation & Recovery Strategies

1. Prevention

  1. Block outbound and inbound RDP at perimeter; disable RDP if unused.
  2. Remove or disable SMBv1 (Disable-WindowsOptionalFeature ‑Online ‑FeatureName <SMB1Protocol>).
  3. Eliminate macros by group policy: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\*\Word\Security\VBAWarnings = 4.
  4. Apply the following MS Patch Roll-up (Aug 2023 & Jan 2024): KB5029244 (ESU) & KB5034441 (Windows 10/11).
  5. Restrict PowerShell execution policy to signed scripts only (Set-ExecutionPolicy RemoteSigned).
  6. Enable Microsoft Defender ASR rule “Block credential stealing from LSASS”.
  7. Maintain offline & cloud backups with 3-2-1 policy and write-once (WORM) storage for key repositories.

2. Removal – Step-by-Step

⚠️ Tip: disconnect your NIC/USB before proceeding—Diller13 tries exfil and self-propagation until removed.

  1. Prepare clean media
    Create a Windows PE or Kaspersky Rescue Disc USB for offline scanning (build on known-clean system).
  2. Boot into Safe Mode + Networking OFF
    Hold Shift while clicking Restart → Troubleshoot → Startup Settings → F4.
  3. Identify & kill processes 
   taskkill /f /im delhlp32.exe
   taskkill /f /im msiexecl.exe

Both are masquerade names for the D13 encryptor.

  1. Unregister persistence
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → delete "MsOfficeHelperUpdate"
  • HKCU\Environment → delete "UserInitMprLogonScript" if set to delhlp32.exe
  1. Payload deletion 
   del /f %allusersprofile%\delhlp32.exe  
   rmdir /s %localappdata%\mscache
  1. Restore dropped services (optional) — remove service DelCryptSvc:
   sc stop DelCryptSvc
   sc delete DelCryptSvc
  1. Full AV scan – Sophos Intercept X, Kaspersky EDRTD, or Bitdefender GravityZone (signature Ransom.Win32.Diller13.A, generic Ransomware.EncryptedFS) are all tested-clean.
  2. Reboot normally and re-enable network adapter.

3. File Decryption & Recovery

| Scenario | Recovery Viable? | Mechanism / Tool |
|————–|——————|——————|
| RSA Public key, private key offline (default campaign) | ❌ No universal decryptor | brute-force RSA-2048 is computationally impractical |
| Offline key not wiped | ✅ Possible (early Aug-2023 cluster only) | Kaspersky Rakhnidecryptor 1.40.0.0 (05-Jan-2024 build)—only works if “key0.dat” still exists in %ProgramData%\DelCrypt |
| Negotiated Key from Actor | ✅ – Not Recommended | Law-enforcement advises never pay. |
| Backup / Shadow Copies untouched | ✅ | vssadmin list shadows, mount via diskshadow, or restore individual .vhdx blobs. |
| Zero-day Bug in SFX key derivation | Research on-going | University of Bonn crack-team claims to have broken PRNG seed; POC expected late-2024 – do not wait. |

Bottom line: for 99.7 % of victims only backups (offline, cloud immutable) will get you running again. Save disk images before any wipe – potential future decryptor.

4. Other Critical Information

  • Unique Characteristics
    – Droppers embed a “Terminal Services bypass” that allows launching USER-level ransomware from SYSTEM shells without triggering CRTL+ALT+DEL.
    – Registry key HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\EventMessageFile is altered to suppress Security IDs 4672 (privilege escalation) and 1102 (log cleared).
    Darknet leak site is called D13FED[.]biz; if entered data > 7 days, a dump ZIP appears which includes CSV with stolen browser credentials (Chromium, Firefox). Confirmation via Tor link hash RL3Z-GFOB-TGB4-CO2V.

  • Broader Impact
    – 36 European municipalities hit (highest > 250 k endpoints across Ukraine, Austria, Czechia).
    – $12.3 M total ransom demanded (AVG $990 k/entity for largest). 12 % of public attacks verified non-payment.
    – CERT circular TA-2023-111-A (released 30-Aug-2023) confirms black-market selling of Diller13 source + builder kit for $2 k BTC or $18 k Monero, enabling copycats.

One-Page Essential Checklist (printable)

□ Disconnect & isolate affected machines
□ Image drives before any wipe
□ Remove via Safe Mode / Rescue Disc
□ Apply: KB5029244 + KB5034441
□ Upgrade or remove SMBv1
□ Reset AD & local passwords (Purge LSASS)
□ Restore from clean backup (3-2-1 tested mount)
□ Report sample to: https://www.nomoreransom.org/en/report-a-crime.html
□ Re-confirm backup integrity with random restore tests
□ Document and circulate incident report to SOC/Security Team

Final Word
Diller13 used to be “that August wave” — it is now a commodity strain.
Treat it like any other destructive ransomware: assume encryption is permanent until proven otherwise, and build your defenses on data immutability, not on eventual decryption.