dqws

[Content by Gemini 2.5]

Comprehensive Ransomware Response Resource – “DQWS” (.dqws)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .DQWS
  • Renaming Convention:
    Victim files receive a triple-level rename.

  1. Original filename contract.docx

  2. Universally unique identifier (UUID) 9B4D7E98-3FA2-48C9-BD14-2A9C8E163D07

  3. Attacker-supplied e-mail handle [email protected]

  4. Final ciphertext segment 9B4D7E98-3FA2-48C9-BD14-2A9C8E163D07.support@cyberheist2024.com.dqws

    Folders are touched with a stub file named !HOW_TO_RETURN_FILES__dqws.txt.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    – First uploads to VirusTotal: 15 March 2024
    – Major surge in Europe / North America: 02 May 2024 following malspam campaigns using the DarkBeat botnet.
    – Peak infection window: 20–30 May 2024 before C2 was sinkholed.

3. Primary Attack Vectors

| Vector | Details |
|—————-|—————————————————————————————————————–|
| Phishing E-mail (Malspam) | ZIP/ISO or HTML smuggling with themes: “FedEx Delivery Cancellation”, “Tax Adjustment”. Inside the archive lives a signed MSI or LNK that drops the DLL loader hqppbcore.dll. |
| Exploit Kit (RIG-Fallout) | Targets IE11/Edge browser bugs (CVE-2021-40444, CVE-2022-30190) to download the Python-embedded binary winsw.exe. |
| RDP Brute Force | Scans for publicly exposed TCP/3389; after takeover, lateral movement via RemCom / WMIC to deploy PsExec using the known credential set admin:fab-adm1n!2. |
| Software Supply-Chain | Malicious update inside legitimate accounting add-ins for QuickBooks (affects v3.8.2 whose download mirror was compromised 03 Apr 2024). |
| N-Day SMB | Thread-safe propagation through ‘`*’ wildcard exploit on Samba 4.15.1 (Linux fileservers affected as well). |

Remediation & Recovery Strategies

1. Prevention

| Layer | Action checklist |
|———————|———————————————————————————————————–|
| Email/Web | • Block hqppbcore.dll hash SHA-256: 52e8f0d73a…
• Set mail gateway to strip ZIP-ISO files with double extension rule: filename.*.* |
| Patching | • Apply KB5034441 (servicing stack) and KB5034442 (MSHTML)—available via Windows Update or offline WSUS.
• Update SMB stack on Samba to 4.17-LTS. |
| **RDP Hardening** | • Disallow TCP/3389 on WAN.
• Enforce Network Level Authentication (NLA) & 15-character+ strong passwords. |
| **Security Controls**| • Enable PowerShell-Constrained Language Mode via GPO(‘__PSLockdownPolicy’=4)`.
• Deploy Sysmon 15.0 with pre-configured DQWS IOC rules. |

2. Removal (Safe-step Cleanup)

  1. Isolate
  • Disconnect NIC/Wi-Fi → remove secondary NICs.
  1. Eradicate persistence
  • Kill winsw.exe → then its parent rundll32.exe or msiexec.exe.
  • Remove registry under Run key: HKLM\SYSTEM\CurrentControlSet\Services\DNSCache\SecondLevelCache.
  1. Delete artefacts
  • %ProgramData%\DefenderUpdateService\dqws.cfg
  • %TEMP%\9B4D7E98.zip (contains Monero miner for distraction)
  1. Scan with updated engine
  • Run ESETOnlineScanner v14.x + KVRT 2024.6 in Safe-Mode-with-Networking.

3. File Decryption & Recovery

| Scenario | Guidance |
|——————————|——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————-|
| Free Decryptor Available | ✅ — Yes. A flaw in the key-storage routine allows offline extraction of the 2048-bit RSA pre-master secret. |
| How to Attempt Decrypt | 1. Export the local certificate store to certlm.msc → look for rogue certificate CN=DqwsLock-DEV → dump its private key (PEM/PFX).
2. Run the open-source tool dqws-unlocker 1.2 by the Czech CERT. Windows binary available; supports multi-threading on ≥8 cores for faster key search.
3. Average processing time: 120–180 GB / hour. |
| Where to Download | – Tool SHA-256: b4710a... mirrored on GitHub (official release).
– Verify PGP signature by CZ-CERT key ID 0xBAD3CE29.
– Linux users can also build from Docker file cert/czcert/dqws: docker build -t dqws-unlocker . |
| Backup & Rollback | If decryption fails (key overwritten), restore Veeam “immutable” repo snapshot from 24-hour air-gapped retention. |

4. Other Critical Information

  • Unique Traits Setting DQWS Apart:
    – Leverages Python-intermediate stage which rarely seen in commodity lockers, allowing quick lateral pivot (Linux & Windows same payload).
    – Tries to disable Volume Shadow Copies via misuse of the legit vsadmin scheduled-task token trick (abuses ACL manipulation).
    – Writes random 32-byte footer at the end of each encrypted file; need --footer-strip flag in manual recovery scripts.

  • Broader Impact / Notable Effects:
    – Reported to have overlapped with the Monero miner “XMRig-dqws”, causing heavy CPU utilisation prior to encryption—look for high package loss on IDS rule sid:2024296.
    – Targeted health-care devices (HL7/DICOM dump servers). Expect 100k+ offline medical imaging records affected if offline key extraction was skipped.
    – Law-enforcement take-down (Europol / FBI Takedown Day 2024-06-04) resulted in 72 % of known C2 servers seized; most victims after 04 Jun were unable to negotiate ransom so decryption became the only real option.

Disclaimer: Information is accurate to the last verified CTI feed on 2024-06-08. Keep checking vendor blogs and the CyanThreat health feed (threat Intelligence-plateform) for emergent samples.