ds335

[Content by Gemini 2.5]

Ransomware Resource Sheet

Variant: “ds335” (extension .ds335)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed file extension: .ds335 (lowercase) is appended to every encrypted object; the original extension is NOT removed, e.g. Project.xlsx.ds335.
  • Renaming convention: <original_name>.<original_ext>.ds335 – no e-mail, no random UID, no victim-ID prefix.
  • Dropped marker files: README_TO_RESTORE.txt (sometimes HOW_TO_DECRYPT.hta) is placed in every folder and the desktop. Inside you will find a 40-character “Client ID” plus a TOR chat link (http://ds335q倾倒恢复到xyz.onion – the exact string varies by sample).

2. Detection & Outbreak Timeline

  • First public submissions: 18 August 2023 (Malware-Bazaar, Any.Run) – clustered under “Phobos-40474”.
  • Rapid growth: September-October 2023 – most incidents reported via ID-Ransomware.
  • Still active: Yes – new victims posted daily on Reddit/BleepingComputer through Q2-2024.

3. Primary Attack Vectors

Phobos-family malware (ds335 is one of its 100+ branded extensions) is almost exclusively human-operated:

  1. RDP brute-force / compromised credentials – #1 entry point (TCP-3389 exposed to Internet or via breached VPN).
  2. Smoking-phish attachments – ISO → LNK → BAT → payload (when RDP is not exposed).
  3. Pair-job with commodity loaders (SmokeLoader, Amadey) that are dropped by fake cracks/keygens.
  4. Lateral movement:
  • Uses SharpShares, NetScan, PSExec, and WMIC.
  • Attempts to disable Windows-Defender via Set-MpPreference and deletes shadow copies with vssadmin delete shadows /all.
  • No SMB-EternalBlue exploit code has been observed in ds335 sessions to date; Post-exploit focus is credential-reuse, not 1-day bugs.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (stop the breach before encryption)

  • Never expose RDP (3389) to the raw Internet. – Move it behind a VPN or use an RDP-gateway with 2FA/CAP.
  • Enforce strong, unique passwords + lockout policy. Run a quarterly clean-up of local “ Administrators” group.
  • Disable SMBv1 (no Phobos sample needs it, but kill it anyway):
    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  • Keep OS + AV signatures fully patched; Phobos is routinely caught by Microsoft Defender once it drops – if Defender is still alive.
  • Application control: Turn on Windows ASR rules and enable “Block Office apps from creating executable content.”
  • Segment flat networks; block client-to-client 3389/445 at the L3 switch.
  • Immutable/offline backups (3-2-1 rule). Make sure backup volumes are NOT addressable under the same credentials the support team uses daily.

2. Removal / Eradication (after you discover the beacon)

  1. Disconnect the NIC or power-off affected hosts to stop further encryption/lateral movement.
  2. Collect evidence first: memory dump (.vmem) + $MFT + Event-logs – useful later for IR and possible LE sharing.
  3. Boot a clean OS (WinPE / Linux LiveUSB) and:
    a. Delete the malicious service (“service.exe” – random name in %ProgramData%\svcctrld\) + the persistence Run-key.
    b. Remove any new user accounts the attacker added (often “MozillaUpdate”, “ServiceUser”).
  4. Patch the entry vector – reset ALL admin/service passwords, revoke VPN sessions, inspect firewall rules the attacker created.
  5. Re-image the box or run a full AV scan while offline; then re-join domain only after you’re sure the network is clean.

3. File Decryption & Recovery

  • There is NO free decryptor. Phobos (ds335) uses AES-256 in CBC mode (file key) encrypted by an RSA-2048 OAEP public key embedded in the binary. The matching private key is only on the criminals’ server.
  • Paying the ransom (≈0.5-1.2 BTC, negotiable) does usually deliver a working decryptor, but:
    – no guarantees,
    – fuels future crime,
    – may still leave backdoors behind.
  • Recovery path = backups. If no backups exist:
  1. Catalogue unencrypted copies (e-mail attachments, SharePoint on-line, shadow copies the attacker missed on non-primary drives).
  2. Use file-carving tools (PhotoRec, RawCopy) to scrape partially overwritten VHD/VMDK blocks.
  3. Note: “Phobos Decryptor” tools sold on YouTube/telegram are scams – do not pay for them.

4. Other Critical Information

  • Differentiator: Each Phobos campaign chooses a new 4-5 character extension (ds335, ELDER, FOPRA…). Apart from branding, the code base is identical – treat every “new” extension as Phobos.
  • No wiper behaviour – encryption only; skips C:\Windows and certain .exe to keep the OS bootable (so you can read the ransom note).
  • The TOR chat panel saves the victim’s personalised RSA private key only for ~30 days; after that the key is auto-purged – older victims report “payment page gone.”
  • Law-enforcement partners: FBI, NCA, and EUROPOL have working relationships with Bitdefender/Coveware to negotiate if you must; involve them rather than talking to criminals directly.

Quick-reference Cheat-sheet

  • Indicators: .ds335 files + README_TO_RESTORE.txt + svcctrld\service.exe with a random 6-char name.
  • Logs to check: Event-ID 4625 (RDP brute), 7045 (service install), 4688 (process creation with command line).
  • Block at perimeter: TCP-3389 from Internet, TCP-445 inbound from user VLANs, known malicious IPs: 5.199.162[.]220, 194.147.78[.]86, 92.118.36[.]164.
  • Recommended free tools:
    – Bitdefender “PhobosDecryptor” (unfortunately still has no RSA keys; use for future hope),
    – Coveware’s Phobos report portal (upload ransom note for campaign attribution),
    – Microsoft’s “Azure Backup” or “Windows Server Backup” to an encrypted, network-detached VHDX.

Stay calm, isolate, rebuild from clean backups, and involve professionals if business-critical systems are affected. Good luck, and safe computing!