duck

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files hit by “Duck” ransomware acquire the extra suffix “.duck” (e.g., Report.xlsx → Report.xlsx.duck).
  • Renaming Convention: The malware only appends the new extension; it does not scramble the original file name, path, or drive letter—helping you quickly identify the scope via a simple dir *.duck /s command.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Duck first surfaced in early-December 2019 when victims uploaded samples to ID-Ransomware and VirusTotal. It is a Philis (a.k.a. FMCrypt) re-brand—a family that has been circulating in various skins since mid-2018.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    RDP brute-force & credential stuffing – attack buys/breaches low-level creds, brute-forces 3389/33891, manually drops the exe.
    Pirated/boot-leg software bundles – fake “Crack”, “Keygen”, or “Windows activator” that drops Duck.exe alongside the promised ware.
    SMB/Server-message-block – uses legitimate PsExec + stolen domain creds to copy itself to every ADMIN$ share it can reach.
    No worm-style exploit (e.g., no EternalBlue) – infection is human-driven, so lateral movement is limited to where attackers already own credentials.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    Harden RDP – disable if unused, otherwise enforce 2-FA/VPN-gateway, NLA, account lock-out, and 3389/Port-whitelisting.
    Segment & filter – VLAN isolated servers, restrict 445/135/139 between user LAN and critical assets, block PsExec execution for normal users via AppLocker.
    Patch & inventory – keep OS, 3rd-party apps, and remote-tools up to date; remove unused optional SMB1 feature completely (Win 7/2008 R2).
    Mail/Web filters – block macro docs, crack sites, and password-protected zips.
    Immutable backups – 3-2-1 rule (three copies, two media, one offline/off-site) plus periodic restore drills.
    EDR/NG-AV – behaviour-based protection is essential; signatures lag behind the dozens of weekly re-brands of this family.

2. Removal

  • Infection Cleanup (high-level checklist):
  1. Isolate – yank the infected machine from the network or shut its Wi-Fi immediately.
  2. Identify patient-zero – look for the log-in leading to creation of C:\Users\<username>\AppData\Local\Temp\filename.tmp.exe (often svchost.exe or Duck.exe, hash changes daily).
  3. Collect forensic image or at least dump RAM before first reboot if legal/operational capability exists.
  4. Kill the malicious process and delete its persistence key (typically HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce).
  5. Scan & scrub with a reputable AV/EDR engine, then run a second-opinion tool such as Malwarebytes, ESET, or MSERT.
  6. Reset all compromised credentials – local Administrator, domain accounts used for lateral movement, any cached service accounts.
  7. Re-image or clean-build the box, re-patch, restore data from offline backup and NOT from network shares the attacker touched.

3. File Decryption & Recovery

  • Recovery Feasibility: Duck samples inspected so far use standard AES-256 in CBC mode for file data plus an RSA-2048 public key (embedded) to wrap the AES key. Private key is held only by the attackerno flaw or leaked master key is currently known ⇒ decrypting without paying is impossible.
  • Essential Tools/Patches:
    – Emsisoft, Bitdefender, Kaspersky, and No-More-Ransom have no working decryptor for Duck/Philis; any site claiming otherwise is fraudulent.
    – Your single technical remedy is: restore from clean offline backup or shadow copies if they survived (vssadmin list shadows); Duck deletes them via vssadmin delete shadows /all in most modern samples, but older or failed runs occasionally leave them intact.
    Recovery software (PhotoRec, R-Studio, Recuva) can retrieve non-encrypted deleted originals only if the ransomware failed to wipe free space (not guaranteed).
    – If you must consider paying: note that Duck e-mails you directly with a ProtonMail address and demands 0.01 BTC; payment compliance rate is low and victims report receiving nothing—so treat payment as high-risk / no-refund.

4. Other Critical Information

  • Additional Precautions / unique traits:
    – Duck displays a plain grey pop-up titled “DuckDecryptor”; some builds also drop README_RESTORE.txt in every folder.
    – It targets every logical drive letter (A: through Z:) but ignores files < 20 bytes and whitelists “.exe”, “.dll”, “.sys”, “.duck” to keep OS functional and avoid double-encryption.
    – The family is frequently repacked; file hashes rotate weekly to evade AV, but network IOCs (same ransom note, same RSA modulus, same BTC wallet on a given campaign) remain consistent—monitor those to track outbreaks.
    – Because Duck is not worm-capable, one compromised admin credential is the difference between one PC and the whole domain—focus incident response on password resets rather than emergency patching of MS17-010-type bugs.

Key Take-away: Duck is a re-skinned human-operated ransomware that lives or dies on stolen RDP / weak credentials; there is no free decryptor, so offline backups, credential hygiene, and RDP control are your only reliable defences.