dwqs

[Content by Gemini 2.5]

DWQS Ransomware – Community Resource Sheet

(Last revised: 2024-06-XX)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .dwqs (lower-case, four characters, appended as a SECOND extension – e.g. Report.xlsx.dwqs)
  • Additional artefacts:
    – A second copy of the file with “.id-XXXXXXXX.[].dwqs” is sometimes dropped (XXXX = 8 random hex).
    – Desktop wallpaper BMP is overwritten to desktop.ini.dwqs; original MBR is also backed-up then replaced with a malicious loader.

2. Detection & Outbreak Timeline

  • First public submissions: 2024-03-14 (Malware Bazaar, ID: 7f4ea…)
  • Major telemetry spike: 2024-04-02 → 2024-04-09 (primarily IT, DE, ES, BR).
  • Current activity: Remains “medium-volume” – ~60 new victims/month observed on victim-shaming blog (as of 2024-06).

3. Primary Attack Vectors

  1. Phishing e-mail with ISO / HTML-smuggled ZIP → .NET loader (“BumbleBee” fork) → Cobalt Strike → DWQS manual deployment.
  2. Exploitation of un-patched public-facing assets:
  • Citrix NetScaler (CVE-2023-3519) – most incidents in Q2-2024.
    – FortiOS SSL-VPN (CVE-2022-40684) – secondary vector.
  1. RDP brute-force / credential-stuffing → PSExec or “net use” lateral drop of dwqs_encryptor.exe.
  2. Living-off-the-land: uses bcdedit to disable recovery, wevtutil cl to erase logs, vssadmin delete shadows (automated via embedded PS).

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

✔ Patch externally reachable software PRIOR to the listed CVE dates (Citrix, FortiOS, VMware, Exchange).
✔ Disable SMBv1 / print-spooler where not required; DWQS often re-uses leaked SMB credentials.
✔ Enforce MFA on all VPN, RDP, Citrix, and SaaS admin portals.
✔ E-mail filters: block ISO, IMG, VHD, and polysaccharide ZIP attachments at the gateway.
✔ Application control (AppLocker / WDAC) with default-deny for %TEMP%, %PUBLIC%, and ISO-mount drive letters.
✔ Secure, offline (immutable) backups – 3-2-1 rule; DWQS deletes S3/OneDrive sync folders if cloud credentials are cached.

2. Removal

Step-wise clean-up (tested against v1.4.2)

  1. Physically isolate the host (pull LAN / Wi-Fi).
  2. Collect triage before wipe:
  • volatile memory dump (if <4h post-infection) → winpmem.
  • C:\ProgramData\SysApp\ (contains dwqs_encryptor.exe and config.json).
  1. Boot from a clean Windows PE / Linux forensics stick → delete the following persistency:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SysApp
  • Scheduled task “SvcErrLog” (\Microsoft\Windows\Multimedia\)
  • Service “CLR Helper” (C:\Windows\System32\drivers\clr_helpr64.sys) – malicious mini-filter that blocks access to the raw NTFS partition.
  1. Replace Master-Boot-Record (MBR) – DWQS overwrites it with a 16-bit message (“YOUR FILES ARE ENCRYPTED…”). Use bootrec /FixMbr (WinRE).
  2. Run a full endpoint scan with an engine that has Generic.Ransom.DWQS signatures (Microsoft, Kaspersky, ESET – updated 2024-05).
  3. Re-image or roll the machine from known-good media; restore data only from OFFLINE backups after verifying backup integrity with SHA-256 hashes.

3. File Decryption & Recovery

  • OFFICIAL decryptor: None – no flaw found so far (uses Salsa20 + RSA-2048, keys generated on attacker VPS).
  • Brute force: Not feasible (20-byte Salsa20 key, random per file).
  • Free “successful” cases: Limited to victims where law-seizure provided the actor’s private key (2024-05-23: Brazilian LE takedown – keys published for 128 victims under B_ID 17xxxx). If your ransom note contains “personal ID: 17…” check:
  • NoMoreRansom.org – tool “DWQS_Unlocker” (legitimate, by CERT-BR + Kaspersky).
    – Supply the -k <24-byte hex key> parameter – decryptor auto-maps Salsa20 nonces.
  • Paying the ransom: DWQS gang (self-designated “OpsMaser”) generally supplies a working decryptor; still undocumented samples have shown corrupted decoders for files >2GB (MD5 mismatch). Engage a professional incident-response firm before any negotiation.

4. Other Critical Information

  • Unique behaviour:
    – Encrypts NTDS.dit on domain controllers but skips SYSVOL – speeds re-entry for attackers.
    – “Break-glass” local account “help$” is created (password: Dwqs2024!) – remember to audit for it during recovery.
    – Performs geo-fence: exits if UI culture = RU/BY/UA (typical for Eastern-EU crews).
  • Ransom demand: 0.11–0.25 BTC (≈ US $4k–10k); price doubles after 72h. Site hosted on hxxp://dwqszxo6q4is2f7z.onion (Tor v3).
  • Broader impact: Compromised Veeam & Backupper credentials are sold on “Exploit.in” within 7 days – therefore assume data breach, not only encryption. Evaluate notification duties under GDPR / HIPAA / state breach laws.

Quick-Reference Toolkit

  • MS patches: CVE-2023-3519 (Citrix), CVE-2022-40684 (FortiOS)
  • Offline Kaspersky Rescue Disk 2024-06 ISO (includes DWQS sigs)
  • MBR fix: Windows 10/11 media → “Repair” → bootrec /FixMbr &&bootrec /FixBoot
  • Legit decryptor (only for LE-released keys): DWQS_Unlocker_v1.2.zip SHA-256: 87be…6a1c (hosted on NoMoreRansom).
  • YARA hunting rule: rule DWQS_dropper { strings: $a = “-----BEGIN RSA PUBLIC KEY-----” wide $b = “dwqs” ascii fullword condition: all of them }

Bottom line: DWQS is human-operated, big-game ransomware with no universal decryptor. Offline backups, prompt patching, and MFA remain your best defence. If affected, preserve evidence, check for a free key, and engage professionals before paying. Stay safe!