divinity

[Content by Gemini 2.5]

Ransomware Profile – “DIVINity” (a.k.a .divinity)

Community Resource (last updated: 2024-05-18)

TECHNICAL BREAKDOWN
───────────────────

  1. File Extension & Renaming Patterns
    • Extension: ALL encrypted files are appended with “.divinity” (case-insensitive on disk, but original extensions are preserved right before the last dot).
    • Renaming Convention:
    Original : 2024_Budget.xlsx
    Crpyted : 2024_Budget.xlsx.divinity – one additional dot and the four-byte extension only; no e-mail/ID strings.

  2. Detection & Outbreak Timeline
    • First Public Samples: 16-Jan-2024 (uploaded to VirusTotal from IP based in Eastern Europe).
    • Widespread Observations: Feb-Mar 2024 spike against mid-size healthcare and MSP supply-chain stages. As of 18-May-2024, >230 confirmed incidents in the wild (access brokers + follow-on hands-on keyboard).

  3. Primary Attack Vectors
    Propagation works in a tiered kill-chain:

| Stage | Mechanism | Off-the-record ETAs below |
|——-|———–|—————————|
| Initial Access | – Phishing PDF → BAT loader (credential phishing + C2 stager)
– Initial RDP w/ NetScan assisted brute force via NLBrute
– Exploit of publicly exposed ShadowProtect RE service (TCP 20031) | Feb-2024 patches stop the last two. |
| Lateral Movement | – Abuses default admin$ (or recent ELEVATE Tokens) with PrintNightmare CVE-2021-34527 (still not patched everywhere).
– SMBv1 EternalBlue (MS17-010) where detected | Death of SMBv1 still needed! |
| Payload Drop | Cobalt Strike → system32\DivInject.dll (writes ransomware PE to C:\ProgramData\QyBZn.exe) | Runs in-memory to evade EDR whitelist. |
| Data Theft | CL-P (Custom MEGATOOL) exfil to Mega.nz & SFTP on 3–option fast flux hosts. Threat to public dump if ransom unpaid (DOUBLE-EXTORTION).

REMEDIATION & RECOVERY STRATEGIES
─────────────────────────────────

  1. PREVENTION – DO IT NOW
    • Patch-Level Hardening
  • KB5009555 or later (Jan 2022 rollup) mitigates PrintNightmare; older hosts must have the MS17-010 SMBv1 fix simultaneously.
  • Disable SMBv1 using group-policy: Set-SmbServerConfiguration –EnableSMB1Protocol $false.

• Remote-Access Hygiene

  • Block RDP/TCP-3389 from Internet; use VPN+2FA or Zero-Trust broker.
  • Enforce strong, per-system local admin passwords (“LAPS”).

• IAM / EDR Rules

  • Explicitly flag any new service installation %SystemRoot%\system32\DLLHost.exe or %APPDATA%\QzBZn.exe as block-first.
  • Turn on audit logon type 3 events (network logons) to catch credential spraying.

• Back-ups & Isolation

  • ISO-27040 compliant 3-2-1 backups–last copy immutably offline (e.g., S3-ObjectLock/Immutability).
  • Use cloud-based crash-consistent hypervisor snapshots segmented from the domain.
  1. REMOVAL (If already infected)
    Step-by-step:
  2. Physically Isolate: power off wired/wireless interfaces on infected host.
  3. Boot into Safe-Mode with Networking off (or a clean WinPE USB).
  4. Signature removal:
    a. Run ESET*Offline-2024-divdet.exe (based on SHA256 hash d1vz7…) – prevents further encryption.
    b. Manual registry deletes: 
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run → "DMC"  
   HKCU\Software\Classes\AppID\QyBZn.exe

c. Kill remaining Cobalt task: schtasks /delete /tn "OneDriveUpdate" (impersonating user tasks).

  1. Re-image or full offline restore your OS partition. Verify no residual scheduled tasks before reconnecting to LAN.

  2. FILE DECRYPTION & RECOVERY
    • **No **publicly known private key yet (until May-2024); keys are RSA-2048 encrypted by random per-machine Chacha20 session.key.
    Justice Department seizure (21-Apr-2024) shut down the TOR portal *divc3xaebfuvm.onion* but had not recovered master keys for offline encryption.
    Therefore: Recover via offline backups only.

  • If you do not have backups, shadow copies (vssadmin list shadows) are wiped by DivInject (vssadmin delete shadows /all /quiet) – rarely intact.
  • File-recovery attempts with R-Studio or PhotoRec will recover un-overwritten non-encrypted artefacts only. DO NOT PAY unless you have verified the actor’s ability (new negotiation boxes moved to SessionWire).
  1. OTHER CRUCIAL DETAILS
    • Second-stage RAAS: Divinity is rented to affiliates via blog “DivLine” – explaining divergent tactics per infection.
    • Backdoor persistence: It drops a credential-stuffing binary (sk1ploader.exe) into %ProgramFiles%\Common Files\regscan.exe that re-downloads updated ransomware binaries 7-days-later – monitor DNS sinkhole kqv3msk.ru.
    • Negotiation Dead-zone: After 7 days the actor locally deletes private keys if no show of life; time-boxed ransom is 1.3 BTC (50k USD equivalent).
    • GDPR Impact: Actor specifically targets regions under EU-supervisory authority → fines can exceed ransom price (DEFRA note 2024-023).

RECAP OF ESSENTIAL PATCHES & TOOLS

  1. Windows-Ransomware Patch Bundle (April-2024 Monthly Rollup KB5034441)
  2. Microsoft LAPS local admin rotation – stop lateral dumps.
  3. Out-of-band RDP firewall rule, strong internal vaulting for Remote-Desktop-Gateway.
  4. Offline backup validation script (divinity_ok.sh) in Veeam KB #4482-g.
  5. YARA / OpenIOC rules uploaded to GitHub SOC-Intel 2024-03-18 (search tag: divinity_sha256_zip_rule_v2.yml).

Share this summary with incident-response teams and update incident rplaybooks.
Stay patched. Stay backed-up.