eebn

[Content by Gemini 2.5]

eebn Ransomware – Community Resource Sheet

(Version 1.0 – compiled May 2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .eebn (lower-case, four letters)
  • Renaming convention:
  • Original file report.xlsxreport.xlsx.eebn
  • No email address or victim-ID is inserted between the original name and the new extension
  • The root filename is left untouched; only the extra suffix is added. This makes quick triage with PowerShell or find easy:
    Get-ChildItem -Recurse -Filter '*.eebn' | measure

2. Detection & Outbreak Timeline

  • First submissions to public malware repositories: 17 Nov 2023 (Hash: SHA-256: 5d38…f1c9)
  • Visible uptick in ID-Ransomware uploads & support-forum posts: 20-24 Nov 2023 (Turkey, Brazil, U.S. MSPs)
  • Still circulating as of May 2024 – primarily via cracked-software bundles and exposed RDP.

3. Primary Attack Vectors

  1. Fake “cracked” software installers (Adobe, Fortnite, Windows activators) delivered through:
  • YouTube “how-to” videos with bit.ly/anonfiles links
  • Discord CDN attachments
  1. MSSQL & RDP brute-force → manual deployment (observed ports 1433/tcp, 3389/tcp brute-forced from 193.56.*.*)
  2. Pirated game “mod-packs” that silently side-load eebn.dll (first stage)
  3. No signs of worm-like SMB/EternalBlue exploitation; lateral movement is manual via PAExec/RDP once the attacker owns one workstation.

Remediation & Recovery Strategies

1. Prevention

  • Disable RDP from the Internet or wrap it in a TLS-VPN with MFA; enforce account-lockout policies.
  • Remove local Administrators from “Log on through RDP” rights—use a separate, monitored “RDP-Users” group.
  • Patch MS SQL, remove unnecessary xp_cmdshell, enforce strong sa-passwords.
  • Application whitelisting / Windows Defender Application Control (WDAC) stops the unsigned eebn.exe / eebn.dll droppers.
  • Macro & attachment filtering in e-mail is less relevant for this family, but keep it anyway.
  • Maintain offline, password-protected backups (3-2-1 rule).

2. Removal / Clean-up

| Stage | What to do |
|——-|————|
| a. Contain | Physically disconnect or disable Wi-Fi; power-off non-essential machines to prevent further encryption. |
| b. Identify | Collect the ransom note (_readme.txt) and one .eebn sample → upload to ID-Ransomware (confirms variant). |
| c. IOC hunt | Check for: C:\Users\Public\eebn.exe, C:\ProgramData\syshelper.dll, run keys HKCU\Software\Microsoft\Windows\CurrentVersion\Run\syshelper, Scheduled Task \Microsoft\Windows\Dgthrsvc. |
| d. Collect logs | Export EVTX, MFT, and NTFS $LogFile before any clean-up – may help DFIR or free decryptor later. |
| e. Kill & delete | Boot into Safe Mode + Networking → run Defender full scan or a reputable AV (ESET, Kaspersky, Sophos) – all flag the family as Trojan-Ransom.StopCrypt. |
| f. Patch & harden | Change all local/domain passwords, apply OS & SQL patches, remove rogue RDP wrappers. |

3. File Decryption & Recovery

  • STOP/Djvu derivative: encrypts with OFFLINE or ONLINE keys.
  • OFFLINE-key infections (no Internet during install OR server returned err=1) can be decrypted with the free Emsisoft STOPDecrypter (now integrated into “Emsisoft Decryptor for STOP Djvu”).
  • Drop any pair of original + encrypted file (e.g., from backup or e-mail attachment) into the decryptor; if it reports “Your ID ends in ‘t1’ ⇒ OFFLINE key”, you are eligible.
  • ONLINE-key infections (vast majority since Dec 2023) cannot be decrypted without the private key held by the attacker. Options:
  1. Restore from local Volume Shadow Copy (it deletes them via vssadmin delete shadows /all, but sometimes misses secondary drives).
  2. Restore from offline backups.
  3. File-carving / photo-recovery if disk was HDD and not SSD/TRIM’d (partial success for multimedia).
  4. Paying the ransom ($199-$999 in Bitcoin) is discouraged – no guarantee, funds criminal ecosystem, and your machine remains compromised.

4. Essential Tools / Patches

  • Emsisoft Decryptor for STOP Djvu (update every few weeks)
  • Kaspersky RakhniDecryptor (handles some older STOP branches)
  • Microsoft “HealthCheck” to disable SMBv1 if still enabled
  • CISA Ransomware “StopRansomware” playbook (PDF)
  • PowerShell script “StopResetTool.ps1” to clean malicious scheduled tasks

Other Critical Information

  • Family attribution: eebn = latest strain of STOP/Djvu, first seen in 2018 but still under active development (≈600 new variants).
  • Ransom note (_readme.txt) template unchanged since 2021: offers 50% discount if contacted within 72 h, addresses [email protected] & [email protected].
  • Uses both Salsa20 symmetric key + RSA-2040 offline/online public key – fast encryption, low CPU footprint.
  • Deletes shadow copies, disables Windows Error recovery, and adds exclusion to Microsoft Defender to evade real-time blocks.
  • Noteworthy quirks:
    – Encrypts files < 5 MB completely; only first 5 MB of larger files ⇒ some video/VM images may be partially recoverable.
    – Skips folders: :\Windows, :\$Recycle.Bin, browser profiles (keeps browser working so victim can pay).
  • Broader impact: ~23% of ransomware submissions to ID-Ransomware in Dec 2023 were STOP/Djvu variants (eebn, aayu, aamm, etc.). Hit home users/backups of MSPs hardest.

TL;DR Quick Reference

  1. See .eebn → isolate, collect _readme.txt, head to https://id-ransomware.malwarehunterteam.com.
  2. If result = OFFLINE key → use Emsisoft Decryptor.
  3. If result = ONLINE key → restore from backups or shadow copies; no commercial decryption exists.
  4. Clean the box with current AV, secure RDP & SQL, patch, keep 3-2-1 backups.

Stay safe, patch early, backup often, and don’t pirate software—eebn usually rides in with it.