dusk!

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: dusk! (includes the leading dot and trailing exclamation mark).
  • Renaming Convention: Files receive a COMPLETELY new name followed by .dusk!.
    – Original Quarterly_Report_Q3.xlsx becomes r9kX7aT1.doc.dusk!
    – The random-looking basename is generated with 8–12 mixed-case alphanumerics so that victims cannot recognise content from the filename alone.
    – Network shares and removable drives are enumerated first; any open handles are force-closed before renaming.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to ID-Ransomware and malware exchanges appeared 12–14 May 2024. Large-volume infections peaked 19–21 May 2024 (EU/US morning hours), leading North-American MSPs and two German automotive suppliers to publicly confirm incidents by 23 May 2024.
    – Current variant seen in-the-wild: v2.1.5 (compiler time-stamp 09 May 2024).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploitation of the ConnectWise ScreenConnect auth-bypass & path-traversal (CVE-2024-1708 / CVE-2024-1709) – payload staged as ClientPath.aspx then side-loaded via GetFileBase ⇒ automated deployment of dusk! across entire MSP client base within minutes.
  2. Phishing with ISO/IMG attachments ("Outstanding_Invoice_[iso]") containing NetSupport-dropper; secondary-stage PowerShell downloads dusk!_x64.dll and uses rundll32.exe entry-point "DllEntry".
  3. Weak or re-used RDP credentials – adversary notices TCP/3389 exposure, brute-forces, runs living-off-the-land PS cmdlet Invoke-Expression to fetch the binary from hxxps://t[.]me/DuskBIN/...
  4. Lateral movement via PSExec, WMI and SMB discovery (but no EternalBlue). Writes a Group-Policy-style scheduled task (\Microsoft\Windows\DUSK\DuskUpdater) to re-encrypt newly created files every 30 min.

Remediation & Recovery Strategies:

1. Prevention

  • Disconnect or harden ScreenConnect / Control servers immediately – apply vendor patch v23.9.8 or later and enforce IP whitelisting.
  • Block ISO, VHD, IMG, JS, VBA, HTA at the mail gateway; strip external-markup macros centrally.
  • Enforce 14+ character unique passwords + account lockout on RDP; move RDP behind VPN/Zero-Trust broker.
  • Segment LAN using VLANs / firewalls; disable SMBv1 and unneeded admin shares (ADMIN$, C$).
  • Install Microsoft updates released up to May-2024 patch-Tuesday (no specific OS exploit is used by dusk!, but it does attempt to bypass AMSI in older builds).
  • Backup 3-2-1 rule: 3 copies, 2 media, 1 off-line/off-site; force immutable repository (object-lock, WORM tape).

2. Removal

  1. Isolate the host (unplug NIC / disable Wi-Fi).
  2. Boot into Safe Mode with Networking or, preferably, Windows RE (WinRE) to prevent scheduled-task re-start.
  3. Delete persistence artefacts:
    – Scheduled task \Microsoft\Windows\DUSK\DuskUpdater
    – Service DuskShadow (if present)
    – Registry run-key HKLM\SOFTWARE\DuskSoft + HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "DuskTray".
  4. Remove main binaries – usually:
    %ProgramData%\DuskSoft\dusk.exe or dusk_x64.dll
    %TEMP%\random7\*.exe
  5. Clear shadow copies that the malware already wiped (vssadmin delete shadows /all) is done by the attacker; having clean external backups is therefore critical.
  6. Run an up-to-date EDR/AV full scan (Windows Defender 1.403.11.0+ detects it as Ransom:Win32/Dusk!MTB).
  7. Only AFTER disinfection re-attach to network to install OS / application patches.

3. File Decryption & Recovery

  • Recovery Feasibility (as of 06 Jun 2024):
    No free decryptor available. The malware uses Curve25519 + ChaCha20-Poly1305 per victim RSA-2048 keypair; private key remains only on attacker server.
    Brute-force is computationally infeasible. Memory scraping rarely works because the process self-hollows and zeroises the session key before renaming the last file.
    Third-party negotiators report median demand ≈ 1.1 BTC (≈ USD 70 k). Payment does not guarantee a working key—several victims received a non-functional decryptor or no response after paying.
    ONLY reliable path: restore from detached backups or Volume Shadow Copy if it survived (rare).
  • Essential Tools / Patches:
    – ScreenConnect update v23.9.8+ or switch to alternative remote-support stack until patched.
    – Kaspersky Anti-Ransomware Tool, Malwarebytes 4.6, MS Defender with cloud-block enabled – all add signatures to stop dusk! before encryption starts.
    DuskKiller.exe (TrendMicro cleaning utility v1.2) – removes only the malware, does not decrypt.

4. Other Critical Information

  • Unique Characteristics:
    – “Sleep-then-re-encrypt” – low CPU usage for first 10 min while it maps shares; ends with 15-second burst where every logical drive is processed.
    – Drops “readmetodecrypt.txt” and sets a bright-orange desktop wallpaper (%SystemRoot%\Web\Wallpaper\Dusk\dusk.png) with Tor .onion link and 120 h countdown; after timeout the ransom doubles and key deletion is threatened.
    – Skips files < 1 024 bytes (too small for meaningful ransoms) and anything with a path containing mozilla, chrome, tor-browser, or typical Russian (.ru, .рф) TLDs—suggesting Russian-speaking actor.
  • Broader Impact:
    – MSP compromise pattern leads to hundreds of small businesses hit per breach; estimated > 1 200 systems encrypted in first fortnight.
    – Attackers exfiltrate first (C:\Users\*\Documents\*\*.pdf *.xls*) via MEGASync then run dusk!, giving a double-extortion threat even if backups exist.
    – Because the key exchange happens early, even snapshots created inside the encryption window cannot help once the malware is resident.

Key Take-away: Disconnect ScreenConnect, patch now, and practice strict offline backups; decryption is presently impossible without purchasing the criminals’ private key (and even that is uncertain). Prioritise prevention and rapid restoration rather than hoping for an unlock tool. Stay safe!