eclr*

[Content by Gemini 2.5]

Ransomware Resource for the “eclr*” Extension

(The star is a wildcard; victims usually see something like “.eclrR3d”, “.eclr2023!”, “.eclr_locked”, etc.)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension seen in the wild: .eclr (sometimes followed by a random 3-byte campaign ID or the exclamation mark “!”, e.g. photo.jpg.eclr, report.xlsx.eclrR5v, db.bak.eclr!)
  • Renaming convention:
  • Plain append – the original file name and extension remain intact; the malware simply concatenates its own marker at the end.
  • No desktop.ini-based renaming or MFT manipulation, so dir output still shows full old name, just with the extra suffix.
  • No uniform prefix, in contrast to some families that zero-out the first 16 bytes of the file name.

2. Detection & Outbreak Timeline

  • First public report: mid-June 2023 (initial upload to ID-Ransomware and VirusTotal from an EU manufacturing victim).
  • Noticeable surge: July–August 2023 (both geographically and across verticals – healthcare, regional MSPs, and a U.S. school district).
  • Still circulating in 2024 campaigns; the builder appears privately sold, so new “releases” appear every few months.

3. Primary Attack Vectors

  • Phishing with ISO/IMG lures – e-mail supposedly carrying “invoice” or “scan” mounts an ISO; inside is a MSI or DLL that side-loads the main loader.
  • Pirated software bundles – fake game cracks/CAD keygen EXEs deposited on Discord & BitTorrent; installer drops both the ransomware and a clipper module.
  • Compromated RDP / brute-forced credentials – an initial reverse-shell via port 3389, followed by manual deployment of eclr.exe from C:\Perflogs\.
  • Exploit of Atlassian Confluence CVE-2022-26134 (OGNL injection) – observed in at least two July-2023 intrusions; attackers used the bug to drop the same eclr payload.
  • No current evidence of worm-like SMB-EternalBlue activity; it behaves more like a targeted post-breach payload than a network worm.

Remediation & Recovery Strategies

1. Prevention

  • Disable Office macro execution for files originating from the Internet; most eclr* ISO lures pivot on an embedded macro.
  • Enforce Windows Defender ASR rule: Block executable files from running unless they meet a prevalence, age, or trusted list criterion – already blocks the early 2023 samples.
  • Patch Confluence, Citrix, Fortinet and any outward-facing VPN appliances; the July wave abused unpatched Confluence servers.
  • Restrict RDP (port 3389) behind a VPN and enable Network-Level-Authentication + “FDV” (fail-delay lockout).
  • Application whitelisting or at least Microsoft Defender Application Control; the main DLL (ColorCNV.dll) is not valid-signed, so it is easily blocked.
  • Back-up strategy that follows the 3-2-1 rule: three copies, two media types, one offline/off-site. eclr explicitly deletes VSS with vssadmin delete shadows /all and clears Windows Event Logs, so you must have a backup that is NOT addressable from the infected machine.
  • Enable Controlled Folder Access (CFA) for at least C:\Users and any mapped shares; sample hash 6a2989… from Aug-2023 is blocked by CFA when it attempts mass-encryption.

2. Removal

  1. Isolate the host at network level (unplug / disable Wi-Fi / disable switch port).
  2. Collect volatile evidence (memory dump, Prefetch, ShimCache) before rebuild if forensics is required.
  3. Power-shell one-liner to kill the mutex and process (usually named svhost.exe – note the typo)
    Stop-Process -Name "svhost" -Force; sc stop eclrSrv 2>$null
  4. Remove persistence:
  • Scheduled task: \Microsoft\Windows\DiskFootprint\eclrUpdate
  • Run keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\eclrAgent
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SysHelper
  1. Delete dropped binaries (C:\Perflogs\eclr.exe, C:\Users\Public\Libraries\ColorCNV.dll, C:\ProgramData\ntuser.dat)
  2. Clear WMI Event Subscription if present:
    Get-WmiObject __EventFilter -namespace root\subscription -filter "name='eclrFilter'" | Remove-WmiObject
  3. Re-enable Windows services (Defender, VSS, Windows Update) that the malware disables via reg add … /f Start=4.
  4. Run Defender full-scan or a reputable offline rescue disk (Kaspersky Rescue, ESET SysRescue) to ensure no residual backdoors.

3. File Decryption & Recovery

  • No flaw found so fareclr uses Curve25519 + ChaCha20-Poly1305 in ECIES mode, storing the necessary ECDH ephemeral key inside every <file>.eclr.README_TO_RESTORE note.
  • Free decryptor? Not available yet (checked nomoreransom.org, Avast, Emsisoft as of 2024-05-01).
  • Private key is NOT leaked.
  • Brute-forcing a 256-bit ECC key is computationally infeasible.
    Conclusion: At present the only reliable file-level recovery is
    (a) restore from backup, or
    (b) pay the ransom (not recommended by law-enforcement and gives no guarantee).

File repair carving: Because the malware encrypts only the first 0x80 000 bytes (≈ 4 MB) and appends a 128-byte footer, some file types (JPEG, PDF) can be partially recovered with photorec or openssl enc -d if you have an intact reference header. Expect only a 10-30 % success rate and still-corrupted middle sections.

Essential tools/patches:

  • Latest Windows cumulative update (CVE-2022-26134 mitigations already integrated).
  • Atlassian Security Advisory LTS 7.19.8 / 8.5.3.
  • Microsoft Visual C++ runtime update (the side-loaded ColorCNV.dll abuses an old 2015 CRT).
  • Exploit-protection settings package (SetProcessMitigations.ps1) from Microsoft Security Baselines.
  • YARA rule for threat hunting: 
  rule eclr_ransom_wildcard {
     meta: author="CERT"  
     strings: $s1="-----BEGIN ECLR PUBLIC KEY-----" $s2="cha20poly" $s3="eclr!"  
     condition: 2 of them }

4. Other Critical Information

  • Double-extortion: before encrypting, eclr steals data with a built-in “ExPack” stealer (C:\Perflogs\ExPack.exe) that targets FileZilla, Edge/Chrome cookies, and any folder named “finance”, “audit”, or “confidential”, then uploads the 7-zip archive to hxxps://eclr-blog[.]top/upload. A “proof” screenshot is embedded in the ransom note.
  • Ransom note filename: <file>.eclr.README_TO_RESTORE.txt (drops into every dir; identical content).
  • TOR chat panel: hxxp://eclr7vy7p4647bke2fpb7xzr66onbzqk6tfnq6lrlyf2xbvqkocka6yd.onion
  • Unit42 observed a Go-variant in October 2023 that simultaneously encrypts Windows + ESXi (eclr.vmware.exe). Same keying scheme, adds “.eclr_vm” to VM-flat files.
  • Unique mutex: eclrRansom_2023_Mutexd – can be used as a vaccine (create the mutex yourself with a benign process to block the malware).
  • Because the builder is sold privately, ransom demands differ per affiliate; seen ranges: 1.8 – 6.2 BTC (≈ $55 k – $260 k).
  • No evidence of supply-chain attacks, but one MSP breach led to 42 downstream customers encrypted within 32 minutes – showing rapid lateral movement once an attacker is inside.

Bottom line: eclr* cannot be decrypted without the gang’s private key; concentrate on pre-incident hardening, prompt patching, and tested offline backups. If you already face an active infection, isolate, eradicate, rebuild, and restore – never rely on paying.