dirk Ransomware – Technical Breakdown
1. File Extension & Renaming Patterns
• Confirmation of File Extension: After encryption, dirk appends the literal extension “.dirk” to every file it touches (e.g., Project-Q1.docx becomes Project-Q1.docx.dirk).
• Renaming Convention: The rest of the original file-name is left intact—there is no length truncation or insertion of random bytes—so impacted users can still identify which file is which even after encryption.
2. Detection & Outbreak Timeline
• Approximate Start Date / Period: Public telemetry and incident-response artefacts suggest dirk began circulating in early-November 2023 with a peak surge in the last two weeks of December 2023 driven by large-scale spear-phishing blasts.
3. Primary Attack Vectors
• Propagation Mechanisms:
• E-mail Phishing (most common) – The malware is transported by OpenDocument Presentation (.odp) or Word documents delivered over booby-trapped OneDrive share links.
• Copy & paste from clipboard – Once inside, it scrapes the local clipboard for data (passwords, keys) then immediately attempts lateral movement via Server Message Block v1.
• Vulnerable MSSQL & RDP – dirk’s post-exploitation binary hunts for exposed TCP 1433/3389 services that still accept NTLM logins; default or easily-guessed credentials are then brute-forced to pivot deeper into a network.
• EternalBlue (CVE-2017-0144) – Although an older exploit, some untreated Windows 7/2008 R2 endpoints are leveraged for rapid horizontal spread once the initial foothold is established.