drlk

[Content by Gemini 2.5]

DRUK / “drlk” Ransomware – Community Threat Brief

(Updated June 2025)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .drlk (lower-case, four characters, appended verbatim).
  • Renaming convention:
    Original name → <original_name>.<original_extension>.drlk
    Example: 2025-Budget.xlsx becomes 2025-Budget.xlsx.drlk
    The malware does not scramble the base file name, which helps quick triage in large file-shares.

2. Detection & Outbreak Timeline

  • First public upload to ID-Ransomware: 14-Aug-2024.
  • First enterprise SOC telemetry: 11-Aug-2024 (Asia-Pac time-zone).
  • Peak wave: 20-Aug-2024 through 10-Sep-2024; smaller clusters still observed Q2-2025.
  • Note: DRUK is a direct successor of the “MUSA” campaign (.musa extension) that ended July-2024; same builder, same TOR handles, updated crypter only.

3. Primary Attack Vectors

  1. Sever-side initial access – ~65 % of incidents:
  • Exploits public-facing unpatched flaws:
    • CVE-2023-34362 (MOVEit Transfer SQLi)
    • CVE-2023-4966 (Citrix NetScaler “CitrixBleed” session hijack)
    • CVE-2024-4577 (Critical PHP-CGI argument-injection, disclosed June-2024, actively used by DRUK within 72 h).
  1. Phishing e-mails with ISO → LNK chains – ~20 %.
  2. Stolen / brute-forced RDP / AnyDesk credentials – ~10 %.
  3. Living-off-the-land tools post-break-in:
  • powershell -e (encoded) to drop .NET loader,
  • wmic to delete shadow copies,
  • nslookup to resolve TOR bridges hard-coded in the binary.
  1. Lateral movement:
  • Uses renamed PAExec / PsExec to push a 695-kB dropper (drvss.exe) to administrative shares.
  • Employs SharpSystemTriggers to achieve AD replication rights, then pushes GPO-scheduled task for mass execution.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

☐ Patch or isolate every internet-exposed system against the CVEs listed above (especially CVE-2024-4577).
☐ Disable PHP-CGI mode in all Windows AMP stacks – switch to PHP-FPM.
☐ Enforce 2FA on remote-desktop gateways, VPNs and Citrix ADC.
☐ Enable Windows ASR rules: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”.
☐ Segment flat networks; put file-servers in a separate VLAN with SMB-signing enforced (blocks older PSExec but also DRUK’s copy module).
☐ Set GPO: “Network security: Restrict NTLM: incoming NTLM traffic – Deny all”.
☐ Application whitelisting (WDAC / AppLocker) and FSR / AMSI integration.
☐ Immutable, offline, password-protected backups (3-2-1 rule) with periodic restore drills.

2. Removing Active Infections (step-by-step)

A. Disconnect machine(s) from network – both Ethernet & Wi-Fi.
B. Collect volatile evidence (RAM image) if legal/HR permits; otherwise proceed directly to remediation.
C. Boot from a clean, external Windows PE or Linux Live USB → run a full disk scan with:

  • Updated Microsoft Defender (platform 1.413 or newer) or
  • Sophos AV (IDE 5.5+) or
  • Kaspersky RU 2025 build (detects Trojan-Ransom.Win32.DRUK.a).
    Detected components you should expect:
  • C:\Users\Public\Libraries\drvss.exe (dropper, VT 65/72)
  • C:\ProgramData\ntuser.dat (AES key blob)
  • C:\ProgramData\dr_uns.exe (desktop wallpaper changer)
  • Scheduled task DruKeep (used to restart the binary).
    D. Manually delete above artefacts after the AV engine reports they are no longer loaded.
    E. Clean every Run/RunOnce registry key containing “dr” or random 4-letter entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
    F. Reboot → verify the ransomware executable is no longer spawned.
    G. Patch the entry-point vulnerability (MOVEit, PHP-CGI, Citrix, etc.) before reconnecting to the network.

3. File Decryption & Recovery

  • Decryptability: No – DRUK uses_curve25519 for asymmetric wrap and AES-256 in CTR mode. Keys are generated per victim, stored only in attacker’s C2 (called by TOR).
  • No free decryptor available as of June-2025; the encryption schema has no known flaw.
  • Recovery options:
  1. Restore from offline backups that were not mounted at the time of attack (check drlk time-stamp on first encrypted file to determine safe recovery point).
  2. Volume Shadow Copy is deleted (vssadmin delete shadows /all is scripted) – still worth scanning with ShadowExplorer or vssadmin list shadows once malware is removed; some DRUK variants have failed on SYSVOL.
  3. Windows File-History, OneDrive, Dropbox Rewind, etc. (cloud versioning normally intact).
  4. Negotiation: The TOR ransom note places victims at hxxp://drlk7zqf 6to… .onion; average demand 1.9 BTC (≈ 130 kUSD). Engage a professional incident-response firm before any contact – they often obtain 30–50 % reduction and can verify proof-of-decrypt.

4. Other Critical Information

  • Wallpaper swapper (dr_uns.exe) drops a BMP with taunting text “YOUR KING IS HERE – DRUK”.
  • Ransom note filename: readme_to_restore.txt – placed in every folder with encrypted files.
  • No data exfil module has been observed, so current variant is not “double-extortion” (this may change).
  • Extension collision: .drlk is very similar to .drk (DarkTracer) and .drul (fake). Uploading a sample to ID-Ransomware or VirusTotal is the fastest way to confirm lineage.
  • Persistence: Instead of a Run-key some builds register a WMI EventFilter/Consumer pair; check with Get-WmiObject __EventFilter -Namespace root\subscription and remove anything named like DrukFilter.
  • Broader impact: DRUK has hit at least 62 mid-sized organisations (Aug-2024 – Apr-2025) across manufacturing, municipal government and healthcare in APAC & EU; 11 of them paid (per blockchain analysis). The group appears small, highly technical, but is recycling public exploit PoCs within days of disclosure – patch quickly!

Quick-Reference Cheat-Sheet

Patch → Segment → Protect backups → Detect Touches .drlk → Pull network → AV-scan → Kill tasks → Re-image or Restores → Harden CVE-2024-4577 (PHP), CVE-2023-4966 (Citrix), CVE-2023-34362 (MOVEit).

Stay safe, keep immutable backups, and report any new samples so the community IOC list stays current.