dxxd

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .dxxd
  • Renaming Convention: Files are simply re-appended with “.dxxd”; no e-mail address, counter, or random ID is inserted into the filename.
    Example: Quarterly-Report.xlsx → Quarterly-Report.xlsx.dxxd

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Earliest customer submissions and underground forum chatter date to September-October 2023. Volume peaked in Q1-2024 and remains steady enough to place .dxxd on CISA’s “Top Daily Extensions” watch-list as of January 2024.

3. Primary Attack Vectors

The samples analysed so far fall into two closely-related cluster families (TALOS calls them “DXXD-A/B”, CrowdStrike calls them “Dusk). The most common penetration routes observed are:

  1. Internet-exposed RDP with weak or previously-cracked credentials → manual deployment of MIMIKATZ + DXXD payload via wmic / PSExec.
  2. Phishing e-mail with ISO or IMG attachment that contains a .NET dropper (“TR/Dropper.dxxd”) that pulls the final x64 binary from a CDN.
  3. Exploitation of publicly-facing OEM appliance appliances (broadly reported against GoAnywhere MFT and un-patched Barracuda ESG appliances) – the actors plant a web-shell, then execute the .dxxd PE as a secondary-stage.
  4. No-sign-of worm/SMB component; this is an access-by-sale / manual post-compromise locker rather than a mass-mailed or self-spreader campaign.

Remediation & Recovery Strategies:

1. Prevention

  • Kill the RDP attack surface: disable it if unused; enforce RDP Gateway + Network-Level-Authentication; require 15-char+ strong, rotated passwords + 2-FA.
  • Patch externally-facing appliances (GoAnywhere, Barracuda, PaperCut, MOVEit, …) – most are exploited weeks or months after vendor patch release.
  • Application whitelisting (Windows Defender ASR rules, AppLocker, or WDAC) – the parent binaries are side-loaded from unusual paths (e.g., C:\PerfLogs\svchost32.exe).
  • E-mail filters: block ISO/IMG or at minimum auto-open them in the protected sandbox; enable Safe-Attachments in M365.
  • Back-ups: follow 3-2-1 rule; keep immutable or at least fully off-line copies. DXXD enumerates drives A: through Z:, and specifically deletes VSS & WBAdmin catalogues.

2. Removal

Step 1 – Network isolation (both LAN and Wi-Fi) to stop lateral movement.
Step 2 – Boot the machine from external media or, if you cannot rebuild, attempt Safe-Mode-with-Networking with the Ethernet unplugged.
Step 3 – Remove persistence (usually a Run-key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run called "svchost32" pointing at \PerfLogs\svchost32.exe).
Step 4Fully rebuild from known-clean media. Too many incidents show leftover CobaltStrike beacons or second-stage lockers hidden in %ProgramData%.
Step 5 – Before data restore, validate the system is patched, credentials are reset and MFA is mandatory – attackers return otherwise.

3. File Decryption & Recovery

  • At time of writing (May 2024) NO PUBLIC DECRYPTOR exists.
  • The malware uses Curve25519 + AES-256-GCM; the private Curve25519 key is generated on the attacker’s side and never touches the victim machine, so key-leak through side-channel is impossible.
  • Shadow-Copy recovery is deliberately sabotaged (vssadmin delete shadows /all).
  • Only reliable path: clean rebuild and restore from back-ups.
    If no back-ups: consult a reputable incident-response firm. Some vendors claim “partial recovery” by carving archived/embedded originals from Office documents, but success rate is <20 % and not cost-free.

Essential Tools / Patches (always run before restore):

  • Barracuda ESG hot-fix CVE-2023-2868 (June-23)
  • Barracuda GoAnywhere MFT CVE-2023-0669, PaperCut CVE-2023–27350
  • Windows KB5026361 (May-23) – the cumulative patch disables weak DES encryption in Kerberos, commonly used by these actors for over-pass-the-hash lateral movement.

4. Other Critical Information

  • Unique behaviour: After encryption finishes, it drops two ransom notes – README_TO_RESTORE.txt in each folder and IF_YOU_WANT_TO_GET_ALL_BACK.html on the desktop. Contact e-mail is wakeupdxxd@tutanota[.]com (occasionally decryptdxxd@cock[.]lu).
  • Adds a Windows service named “DXHDlpServ” so it can run as LocalSystem without a user logon; removal of the .exe alone is not sufficient.
  • Broader Impact: Because DXXD is run manually once access is gained, the gang nearly always exfiltrates data before encryption. Several US school districts and two municipal utilities suffered both encryption and data-publication. Expect a double-extortion threat – victims receive links to a TOR blog (http://dxxdblog56w2xiq5[…].onion).
  • When organisations have paid, the attacker provides a universal decryptor plus a “proof-of-deletion” statement for stolen files; nevertheless, our advice remains do not pay – it funds further criminal activity and payment does not guarantee non-release of data.

Bottom-line: .dxxd is a post-compromise, high-interaction ransomware that targets poorly-patched edge systems and relies on manual operators. The only silver-bullet is hardened back-ups: if you have immutable, off-network copies, the attackers lose almost all leverage. Patch externally-facing services immediately, enforce MFA on RDP and administrative tools, and run continuous off-site, versioned backups. Stay safe, and never hesitate to reach out to your national CERT or a reputable IR firm when you spot .dxxd in the wild.