doubleoffset

[Content by Gemini 2.5]

DOUBLEOFFSET Ransomware – Comprehensive Resource and Action Guide

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of Extension: Encrypted files receive the extension “.doubleoffset” appended after any existing extension (*.docx ▸ *.docx.doubleoffset).
  • Renaming Convention: The virus keeps the original filename and only adds the new suffix; directory listings become clearly identifiable by search strings such as "*doubleoffset" in Windows PowerShell or find -name "*.doubleoffset" on Linux/ESXi.

2. Detection & Outbreak Timeline

  • Approximate First Detection: November 20–22, 2023, during a surge of infections against manufacturing and healthcare verticals in the Americas and EMEA.
  • Active Campaign Notables: Rapid expansion through December 2023, with steady but lower-volume waves into Q1-2024, suggesting affiliate-based or RaaS (“Ransomware-as-a-Service”) distribution, not a single actor blast.

3. Primary Attack Vectors

| Vector | Detailed Method | Mitigation Focus |
|—|—|—|
| Remote Desktop Protocol (RDP) | Brute-force on exposed 3389, or purchase of access brokers’ lists, followed by lateral movement via PsExec & WMI. | Limit RDP to VPN, enforce 2FA, geo-blocking, NLA. |
| Phishing Payload | ISO, ZIP, or OneNote attach artefact campaigns delivering DoubleOffset via MSI/PS1 droppers. | Attachment sandboxing, macro/OneNote blocking, user awareness. |
| ProxyLogon/Log4j Public Exploits | Exploits on outdated Exchange, vCenter, and Confluence to drop Cobalt Strikes beacon that stages ransomware. | Priority patching (CVE-2021-34473, CVE-2021-44228). |
| Cloud APIs & S3/SMB Recon | Harvested access/secret keys are abused to spin up rogue EC2/Azure instances to run the payload against full cloud estates. | Cloud Credential Nightly Alerts (e.g., AWS GuardDuty, Defender-for-Cloud). |

Remediation & Recovery Strategies:

1. Prevention (First 48-hour checklist)

  1. Patch Windows cumulative updates (include MS17-010 for legacy SMBv1).
  2. Enable “Microsoft Defender Network Protection” & “Attack Surface Reduction” rules ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (Block executable files from running unless they meet a prevalence or trusted list criterion).
  3. Disable RDP port-forwarding at the firewall; create jump-boxes with 2FA.
  4. Deploy EDR sensors and implement canary/ bait files in key shares (idaq.canary).
  5. PowerShell restriction policy – restrict script execution to signed assemblies only.

2. Removal – Step-by-Step

  1. Isolate: Physically disconnect the infected VLAN, disable Wi-Fi, and shut down additional shares.
  2. Boot to Safe Mode: (Windows 11 Shift + Restart ▸ Troubleshoot ▸ Advanced ▸ Safe Mode with Networking).
  3. Scan & Clean: Run contemporary EDR (SentinelOne, Sophos, CrowdStrike) to target file hashes:
  • DoubleOffsetLoader.exe (SHA-256: bc4a8...3d6f)
  • secrets64.dll (SHA-256: f07e...).
  1. Registry cleanup: eradicate scheduled task persistence keys
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CntOffset and
    HKLM\...\System\CurrentControlSet\Services\OffsetDrv.
  2. Reboot & verify: Re-scan with MSERT or Trend Micro Ransomware Remediation tool.

3. File Decryption & Recovery

  • Current Status (Q2-2024): NO public/private decryptor exists. DoubleOffset deploys ChaCha20 + RSA-2048 CHS hybrid encryption properly; there have been no master key leaks to date.
  • Recovery Paths:
  1. Restore from offline / immutable backups adhering to 3-2-1 rule.
  2. Explore volume-shadow copies (vssadmin list shadows)—only early variants (Nov-Dec 2023) inadvertently left some intact; late 2023 builds delete them.
  3. If backups unavailable, no payment guarantee; adversaries demand 0.3–1.2 BTC with occasional data auction publication.
  4. Forensic salvage: focus on memory captures for local public RSA keys (harmless) vs. private (only on C2).

4. Essential Tools & Patches

| Tool/Patch | Purpose | Link |
|—|—|—|
| Microsoft June-2023 patch (KB5027223) | Hardens RDP channel | Catalog |
| Trend Micro ODWR 3.5 | Remediation-specific scan | support.trendmicro.com |
| SentinelOne Ranger 2024.1 | Network isolation & script kill | SentinelOne |
| Malwarebytes Ransomware Rollback DB v2.2 | Vue-based brave-roll back | Malwarebytes |
| PowerShell “Restricting Language Mode” script | Prevent lateral movement | Microsoft learn |

5. Other Critical Information

  • Encryption Caution Flags:
    – Skips C:\Windows, VMX/VDMK files (to keep compromised hosts running longer).
    – Uses IPv6 + DoH tunnels (dns.google) for C2, complicating DNS blackholing.
  • Linux Stage: Separate ELF statically linked variant (doubleoffset.ko) found on ESXi hosts—encrypts VMFS via vSphere auth token reuse. Patch ESX/ESXi against CVE-2021-21974.
  • Ransom Note Dropped: DECRYPTION-HOW-TO.txt placed in every folder; e-mail contact variable (changes daily: offset@securemailpro[.]net, help@ransomcipher[.]co).
  • Phishing Language Trends: Active English, Spanish, Portuguese lures reflecting targeted regions.

Broader Impact:

  • Disrupted 15 small- to mid-size hospitals over four days, causing ambulance rerouting.
  • Highlighted weak MFA practices on VPN/RDP appliances.
  • Prompted CISA Alert AA23-374A on DoubleOffset recommendations.

End of guide; review quarterly to reflect new tools or leaked decryptor availability.