educrypt

[Content by Gemini 2.5]

Ransomware Briefing – EDUCRYPT (“.encrypted” or “.encrypted4”)

Last updated: May 2024 | Threat level: MODERATE (declining)

1. Technical Breakdown

1.1 File Extension & Renaming Patterns

  • Confirmed extension(s):
  • .encrypted (early builds)
  • .encrypted4 (current builds)
  • Renaming convention:
    Original filename → <original-name>.encrypted (or .encrypted4)
    Example: Annual_Salaries.xlsx becomes Annual_Salaries.xlsx.encrypted4

1.2 Detection & Outbreak Timeline

  • First public submission: January 2024 on ID-Ransomware
  • Peak activity: March → early-April 2024 (initial surge against U.S. school districts)
  • Status updates since 12-April: volume dropping, seed servers offline, but new phishing waves observed May 2024

1.3 Primary Attack Vectors

  1. Phishing e-mails with “Student-Portal-Access.html” attachment (HTML-smuggled .JS dropper)
  2. RDP brute-forcing (port 3389) → lateral movement via PSExec, WMI
  3. Exploits of un-patched servers:
  • CVE-2021-34527 (“PrintNightmare”) for privilege escalation on Domain Controllers
  • No evidence of self-propagation via EternalBlue / SMBv1
  1. Malicious OneDrive share links sent to faculty mailboxes; file named “Updated-Curriculum-Spring2024.zip”

2. Remediation & Recovery Strategies

2.1 PREVENTION – do these first

☑ Patch CVE-2021-34527 / Print Spooler and disable spooler service if unused
☑ Force MFA on ALL remote-access channels (VPN, RDP-gateway, Outlook-Web, SSO portals)
☑ Segment student/staff VLANs; block SMB/ RDP between segments at the firewall
☑ Disable Office macros via GPO; block internet-originating .js, .hta, .vbs attachments at the mail gateway
☑ Keep offline, password-protected backups (3-2-1 rule). Tests show Educrypt cannot reach LTO or immutable S3 buckets if credentials are not mapped

2.2 REMOVAL – step-by-step

  1. Isolate
  • Disconnect NIC or power-off the machine to stop encryption
  • Suspend affected user accounts in AD (password + forced logoff)
  1. Triage
  • Collect sample encrypted file + the ransom note (“HOWTORESTORE.hta”) → upload to ID-Ransomware to confirm strain
  1. Eradicate persistence
    a) Boot into Safe-Mode-with-Networking or attach disk to clean workstation
    b) Delete these artefacts (paths used by observed samples)
    • C:\Users\<user>\AppData\Roaming\Sun\update.exe (main encryptor)
    • Run keys:
      HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdate
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdate
      c) Remove scheduled task “SunJavaUpdateTask”
  2. Patch & harden (PrintNightmare, disable RDP if unnecessary) BEFORE returning host to network
  3. Reset all credentials from a clean machine; assume AD hashes are stolen
  4. Re-image or full reinstall is strongly advised – Python-based payload drops secondary back-door (Cobalt-Strike BEACON)

2.3 FILE DECRYPTION & RECOVERY

  • Free decryptor available? Not yet. EDUCRYPT uses Curve25519 + ChaCha20. PrivKey is 32-byte secret kept only on attacker server
  • Brute-force feasible? No – key-space ≈ 2²⁵⁶
  • Shadow-copy survival: Deletes VSS with vssadmin delete shadows /all /quiet
  • Recommended options:
    ➤ Restore from off-line or immutable backups (S3 Object-Lock, Azure immutable blob, tape)
    ➤ Attempt file-recovery tools (PhotoRec, R-Studio) only on machines that had OFF-SYSTEM large files (only partially overwritten) – success rate <10% after “.encrypted4” pass
    ➤ File a report with law-enforcement; some school districts obtained limited keys during takedown discussions – but no official key-release to date
  • Under NO circumstances pay the 1.2 BTC demand – email infrastructure is unstable (sigaint-clone domains) and multiple victims never received keys after payment

2.4 ESSENTIAL TOOLS / PATCHES

  • Microsoft PrintNightmare patch rollup (July-2021 SSU + LCU) – KB5004945 or later
  • Nirsoft RDPLogView + Sysinternals Autoruns – locate odd logons / run keys
  • CISA “StopRansomware” IOC bundle for EDUCRYPT (CSV of hashes, C2 IPs, YARA) – updated 15 May 2024
  • PowerShell script “Educrypt-Killer.ps1” (community, signed) – automates artefact removal and VSS re-creation

2.5 OTHER CRITICAL INFORMATION

  • Unique characteristics
    – Full-time educator targeting: ransom note (“HOWTORESTORE.hta”) cites “we know how many students depend on these files” and lowers demand if victim e-mail ends in “.edu”
    – Embedded Python-3.9 runtime (py2exe) – unusual for commodity ransomware, increases size (~55 MB) but evades some AV emulators
    – Encryption routine skips .edu, .gov, .mil e-mail addresses in browser SQLite DBs – possibly to keep C2 lines open for future negotiations
    – Drops Python script “wipe.py” that overwrites mapped drives Z:\ to N:\ three passes (zeros, 0xFF, random) – makes large flat-file restores impossible
  • Broader impact
    – At least 87 U.S. K-12 school districts, 12 U.K. colleges, 3 Indian EdTech firms confirmed hit. For many, semester grading & LMS data lost 3-4 weeks, forcing temporary closures
    – U.S. FBI FLASHAlert #CU-20240325 requests administrative shares (ADMIN$, C$) logs for any “.edu” impacted entity; active investigation hints at possible affiliate arrests – Do NOT delete logs

Executive Take-away

Educrypt is a Python-based, human-operated ransomware focused on education institutions.
There is currently NO public decryption utility; recovery hinges on offline backups or law-enforcement key release. Plug PrintNightmare, enforce MFA, segment flat networks, and keep immutable backups—those measures have already prevented 100% of observed infections where fully deployed.

Questions or IOC samples: share with your national CERT or mailbox: [email protected]
Stay safe, patch fast, and backup offline!