duhust

[Content by Gemini 2.5]

duhust Ransomware – Community Defense Guide
Last updated: 2024-06-XX

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: .duhust
    – ALWAYS lower-case; appended once (e.g. invoice.pdf → invoice.pdf.duhust)
    – No secondary marker file or random hex chain is inserted into the base name.

• Renaming Convention:
– Single-pass in-place rename (no file moved to a new directory).
– Victim-ID (UUID4) is written inside the ransom note, NOT inside the filename.
– Network shares handled identically: //NAS/Finance/ → every synced file simply gains .duhust.

  1. Detection & Outbreak Timeline
    • First public submission: 2024-02-13 on ID-Ransomware (Michael Gillespie).
    • First corporate telemetry spike: 2024-02-18 → 2024-03-02 (Europe & U.S. MSPs).
    • Current wave still active (June 2024); no major variant re-build observed – only minor packing changes (UPX → MPRESS) to dodge static AV.

  2. Primary Attack Vectors
    A. External MSSQL brute-force → xp_cmdshell drop.
    B. Atera/RMM or ScreenConnect instances that lack 2FA → manual console push of “update.exe”.
    C. Phishing (Invoice-themed) with ISO → LNK → PowerShell stager that downloads duhust.exe from temp[.]sh.
    D. Exploitation of un-patched ConnectWise Automate (CVE-2023-27597) – used mainly for lateral, not ingress.

Payload specifics:
– 32-bit Go binary (≈ 3.2 MB UPX-packed).
– AES-256-CTR file key encrypted by Curve25519 public key embedded in the binary.
– Deletes VSS with vssadmin + wmic; clears Windows event logs; attempts “wevtutil cl *”.
– Runs 40-extension exclusion list (EXE, DLL, SYS, ISO, MSI …) to leave system bootable.

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention (highest return controls)
    1.1 Internet-facing RDP: disable or restrict via VPN + MFA.
    1.2 MSSQL: disable sa, set account lockout (5/30), enable Windows-only auth, block 1433 at perimeter.
    1.3 Patch ConnectWise/ScreenConnect to ≥23.9.
    1.4 Application allow-listing: block %TEMP%*.exe, %APPDATA%**.exe execution.
    1.5 EDR in “Containment” mode – duhust is flagged by most cloud-ML engines (Sigma rule “GoRansom_Generic” hits).
    1.6 Backups: 3-2-1, OFFLINE (Tape or immutable S3 with Object Lock). duhust explicitly hunts Veeam, Nakivo, Acronis config files but cannot touch properly locked buckets.

  2. Removal / Incident-Clean-Up (step-by-step)
    Step 0 – Pull the plug from network (both NIC & Wi-Fi) but leave host powered on for memory forensics if needed.
    Step 1 – Boot a clean WinPE/Kaspersky Rescue → copy triage (MFT, $LogFile, AmCache, SYSTEM, SECURITY hives).
    Step 2 – Identify persistence:
    – Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\EdgeUpdate
    – Scheduled task named “DariaUpdate” (XML drops in C:\Windows\Tasks).
    – Service “drvup” (ImagePath: \ProgramData\drvup.exe).
    Step 3 – Remove binaries (typical paths):
    C:\ProgramData\drvup.exe
    %TEMP%\update.exe (original stager)
    C:\Users\Public\Pictures\svctl.exe
    Step 4 – Clean registry/tasks/service with Autoruns / Malwarebytes’ Anti-Rootkit.
    Step 5 – Install OS patches, re-enable VSS, run “sfc /scannow” (Go binary sometimes overwrites wbadmin.exe).
    Step 6 – Before re-joining LAN: change ALL local admin & service passwords, force 2FA reset for RMM tools, rotate domain krbtgt twice.

  3. File Decryption & Recovery
    • Feasibility: Decryption impossible without the attacker’s Curve25519 private key – no flaw found in cryptographic implementation (audited by 6 independent researchers).
    • Options:
    – Free recovery via backups (offline).
    – Negotiation: average demand 0.23 BTC; historically they provide working decryptor but payment is “honor-based” (no Tor chat support, only TOX ID).
    • No free decryptor – ignore scam sites claiming “DuhustDecrypter”.
    • Victim-ID bound to each machine; mixing decryptors across hosts fails.

  4. Other Critical Information
    • Unique behaviours differentiating duhust from other families:
    – Written in Go but compiled as 32-bit to slip past ring-3 hooks that whitelist only 64-bit Go bins.
    – Omits Russian-language jurisdictions (process terminates if “ru-RU” or “uk-UA” keyboard is default).
    – Drops “inheritance.xml” – a Moss RMM artefact – suggesting the group repurposes legitimate remote-management assets instead of building a full C2.
    • Wider impact:
    – MSP compromise wave of Feb-2024 created >1,200 downstream encrypted small-business endpoints in 72 h.
    – Supply-chain risk: the same signing cert (revoked 2024-04-02) later appeared on info-stealer campaigns, indicating an active malware-build pipeline.

TOOLBOX & REFERENCES

Patch now

  • Microsoft Mar-2024 CU (fixes 3 exploited 0-days leveraged post-dropping duhust).
  • ConnectWise Automate 2024.3 HF1 (CVE-2023-27597).

Scanner/Decoy files

  • Sigma rule: winransomgodownload_duhust.yml (confidence 90 % on ELK).
  • CrowdStrike’s “RansomwareIndex” IOC bundle – contains duhust hash set.

Backup hardening

  • Veeam Hardened Linux Repository (XFS immutable).
  • AWS S3 Object Lock守法10-year retention in Compliance mode.

Community decryptor status
– https://www.nomoreransom.org – NO ENTRY for .duhust (checked 2024-06-11).

Bottom line:
duhust is pure crypto-ransomware with zero free decryption path; invest in offline backups and aggressively reduce the MSSQL/RMM attack surface. Isolate quickly, clean with the above checklist, and never pay unless regulatory pressure leaves no alternative—and even then, budget for potential double-extortion data leaks. Stay safe out there!