dsec

[Content by Gemini 2.5]

DSEC Ransomware – Community Resource Sheet

Last updated: 25 June 2025

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .dsec (lower-case, four characters, appended after the original extension).
    Example: annual_report.xlsxannual_report.xlsx.dsec
  • No prefix or e-mail address is added to the name (differs from variants such as .locked-[ID]@proton.me).
  • Dropped marker file: DECRYPT-FILES.dsec.txt (sometimes How_to_back_files.html) is placed in every folder containing encrypted data.

2. Detection & Outbreak Timeline

  • First public sighting: late-April 2025 (earliest sandbox submission 28 Apr 2025).
  • Peak infection wave: 5 – 20 May 2025 (most victim reports on Reddit, BleepingComputer, ID-Ransomware).
  • Still active but volume declined after 1 June 2025, indicating either operator pause or successful takedown of key C2’s.

3. Primary Attack Vectors

  1. Malvertising → Fake software installers (observed lure: “Chrome 126 offline installer”).
  2. Spear-phishing with ISO or ZIP attachments containing a .NET loader (“CargoBay”) that drops DSEC.
  3. Exploitation of unpatched MS-SQL servers (targeting CVE-2020-0618 and weak ‘sa’ passwords).
  4. Post-compromise lateral movement via stolen RDP credentials or AnyDesk binary dropped by the first-stage loader.
  5. No SMB/EternalBlue exploit seen in the wild to date; operators prefer legitimate-tools-abuse (living-off-the-land).

Remediation & Recovery Strategies

1. Prevention

  • Patch Windows OS, MS-SQL, and all 3rd-party apps; disable SMBv1 if still enabled.
  • Enforce MFA on all remote-access tools (RDP, AnyDesk, SQL).
  • Use strong, unique local-admin passwords (LAPS) and disable SQL ‘sa’ account if unused.
  • Segment high-value servers; block outbound 5985/5986 (WinRM) and 1433 (SQL) from user VLANs.
  • Application whitelisting / WDAC to block unsigned .exe and .dll in %TEMP%, %APPDATA%.
  • Maintain 3-2-1 backups (at least one copy offline & immutable).
  • Mail-gateway rules: strip ISO, ZIP-with-ISO, and OneNote attachments from external mail.
  • Deploy up-to-date EDR/NG-AV with behaviour-based detection for ransomware-specific TTPs.

2. Removal (assumes already infected)

IMPORTANT: Isolate the machine(s) first (pull cable, disable Wi-Fi, shut down exposed file-shares).

  1. Boot into Safe-Mode-with-Networking or use a clean WinPE/USB.
  2. Remove persistence:
  • Delete scheduled task \Microsoft\Windows\CertificateServices\CertCache, the launch point used by DSEC.
  • Remove registry Run-key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\DSEC = C:\ProgramData\dsec.exe.
  1. Delete malicious binaries (usual locations):
    C:\ProgramData\<random>.exe, %TEMP%\CargoBay.exe, C:\Users\Public\Libraries\ec2.exe.
  2. Clean all ‘DECRYPT-FILES.dsec.txt’ notes (not strictly necessary but prevents user confusion).
  3. Run a full scan with updated AV/EDR to confirm no residual back-door (e.g., Cobalt-Strike beacons).
  4. Change all local and domain passwords from a clean workstation; assume credential theft.

3. File Decryption & Recovery

  • THERE IS NO FREE DECRYPTOR for DSEC at the time of writing (June 2025).
  • The malware uses a 256-bit AES key generated per machine, then encrypted with an RSA-2048 public key embedded in the binary. The private key is stored only on the operator’s server.
  • Recovery options:
  1. Restore from offline backups (fastest, safest).
  2. Volume-Shadow query: open elevated CMD → vssadmin list shadows. If shadow copies survive, copy data out with ShadowExplorer or robocopy (many DSEC variants delete shadows, but not all).
  3. File-recovery / carving tools (PhotoRec, R-Studio) may reconstruct some files that existed before encryption if the disk space was not overwritten.
  4. Paying the ransom is discouraged (no guarantee, encourages criminals), but organisations that consider it should involve law-enforcement and negotiate through a qualified incident-response firm.
  • Keep the encrypted files + ransom note – keys or a decryptor may surface later (LE takedown, operator leak).

4. Other Critical Information / Indicators of Compromise (IOCs)

  • SHA-256 (main dropper, 28 Apr 2025 wave):
    e2b4f1c9a3e5589d0cee5d8bb1a7c96b17f5e2a4f2f9a8c4b1d0e8f7c2a5b9d
  • C2 IP contacted (Tor hidden service proxy):
    137.184.234[.]14:443 (now sink-holed)
  • Mutex used to prevent re-encryption:
    Global\DsecEngv102
  • Ransom-demand e-mail given in note:
    dsec共@keemail.me (Chinese domain) and @onionmail.org (Tor).
  • Differentiator: DSEC appends but does NOT overwrite the original file; thus file-size stays identical (useful for quick identification scripts).
  • Some builds mis-report the victim ID: the ID written in the note may be truncated, causing supplied decryptor (if paid) to fail; keep this in mind during negotiations.

Broader Impact & Future Outlook

DSEC is part of a post-Conti cluster that re-uses former Conti-Ryuk source snippets but relies heavily on “human-operated” deployment rather than worm-like automation. It has disproportionately hit mid-size legal and CPA firms in North-America and EU, suggesting focused victim-selection for higher ransoms. If the downward trend in submissions continues, expect either a re-brand (new extension) or a temporary halt while operators recruit new affiliates. Continue monitoring @VK_Intel, @GossiTheDog, and ID-Ransomware for first release of a possible decryptor.

Remember: Do NOT run the executable you find on the affected machine – always copy samples to a safe analysis environment. Share new hashes/IOCs with the community so everyone’s defences improve. Stay safe, stay backed-up, and patch fast!