eefg

[Content by Gemini 2.5]

EEFG Ransomware – Community Resource Guide

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .eefg (lower-case, four characters, appended as a secondary extension).
  • Renaming convention:
    original_name.ext.id[UNIQUE-ID].[attacker_email].eefg
    Example: 2024-budget.xlsx.id[A1B2C3D4].[[email protected]].eefg
    The ID is an 8-byte hex string generated from the victim’s MAC address + volume serial number; the e-mail changes per campaign (most frequently [email protected], [email protected], or [email protected]).

2. Detection & Outbreak Timeline

  • First public submission: 2022-05-17 (MalwareBazaar).
  • Major waves: June 2022 (exposed RDP), October 2022 (fake Zoom installer), April 2023 (ProxyLogon-to-RDP).
  • Still circulating (as of Q4-2024) but volume has fallen after the July 2024 takedown of its primary C2 (185.220.101.241).

3. Primary Attack Vectors

  1. RDP brute-forcing / compromised credentials – most common initial foothold (>70 % of incidents).
  2. Phishing e-mail with ISO or IMG attachment containing a malicious .msi that side-loads zloader → eefg.
  3. Exploitation of public-facing applications:
  • Microsoft Exchange (ProxyLogon / ProxyShell) → webshell → credential theft → lateral RDP.
  • Oracle WebLogic (CVE-2020-14882) & Atlassian Confluence (CVE-2022-26134) observed in April-2023 wave.
  1. SMB overnight-replication (EternalBlue is NOT used; instead, it relies on stolen admin hashes + PsExec / WMIC once inside).

Remediation & Recovery Strategies

1. Prevention

  • Internet-facing RDP:
    – Disable or restrict via VPN only; enable NLA, set lockout policy (5/30 min), use 15-character+ complex passwords.
  • Patch externally reachable services (Exchange, Confluence, WebLogic, etc.).
  • E-mail security: Strip ISO/IMG at gateway; deploy Microsoft ASR rule “Block executable files running unless they meet a prevalence, age, or trusted list criterion” (GUID 01443614-CD74-433A-B99E-2ECDC07BFC25).
  • Local privilege hardening:
    – Enable Windows Credential Guard (HVCI) to mitigate Mimikatz collection used by EEFG.
    – Use LAPS for local admin passwords.
  • Network segmentation: Block SMB/445 & RDP/3389 between user VLANs.
  • Lastline backups: 3-2-1 rule, offline copies, immutable object-lock on S3/BLOB or tape; routinely test restore.

2. Removal (step-by-step)

  1. Physically isolate the impacted machine(s) (pull cable / disable Wi-Fi).
  2. Collect forensics first if legal/operational need: memory dump, prefetch, $MFT, C:\System32\Logs\PowerShell, ransomnote (info.txt / +README-WT4JQ+.txt).
  3. Boot into Safe Mode with Networking or use a Windows PE / Linux LiveCD.
  4. Delete the persistence items:
  • Scheduled task svhost pointing to C:\Users\Public\Libraries\svhost.exe (random copy, 1.2–1.4 MB, signed with invalid cert).
  • Service Windows Plugin Manager (C:\Windows\System32\config\systemprofile\AppData\Roaming\pluginmanager.exe) – delete via regdel or autoruns.
  • Run keys HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\svcHost & HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\IExploreUpdate.
  1. Remove the malicious executables (*.exe, *.dll with high entropy names) – ESET, MSERT, or Trend Micro Ransomware File Decryptor will quarantine automatically.
  2. Apply OS / application patches before reconnecting to production network.
  3. Change all admin & service passwords; force user password reset on first logon.
  4. Audit AD for newly created suspicious accounts (e.g., sqlservice, oracleback).
  5. Run a full antivirus scan with updated signatures (detection names: Ransom:Win32/Eefg!MSR, Trojan-Ransom.Win32.Stop Ez, Ransom.Win64.STARFI.)

3. File Decryption & Recovery

  • Free decryptor available: YES.
    – EEFG is an OFFLINE-key variant of the STOP/Djvu family; when the malware cannot reach its C2 it encrypts with a fixed offline key and stores it in the C:\System32\PersonalID.txt file (0327b4e9005f48a2 for the most common offline UID).
    – Download the Emsisoft Stop-Djvu Decryptor (current v1.0.0.9, signed by Emsisoft Ltd).
    – Run the tool as administrator, point it at the *C:* drive root (or mounted image), allow it to rebuild the AES-256 S-box for the embedded offline key.
    – Decryption speed: ≈35 GB/h on an SSD; limited success for ONLINE-key victims (ID ≠ t1) – still worth a try to let it run; if key absent, tool will report “No key for this ID”.
  • Shadow Copies: deleted via vssadmin delete shadows /all → still verify with ShadowExplorer; occasionally missed if privilege escalation failed.
  • File-recovery carpentry: PhotoRec / R-Studio – good for small office docs deleted prior to encryption.

Essential patches/tools:

  • Windows 10 / 11 cumulative update (Sep-2024 or newer) – fixes ProxyLogon & SMB bugs.
  • Microsoft Safety Scanner (msert.exe) – up-to-date STOP/Djvu sigs.
  • CISA Ransomware Readiness Assessment (RRA) tool – benchmark environment.

4. Other Critical Information

  • Unique characteristics
    – Appends BOTH e-mail address and random ID in the filename – allows quick triage larger file trees.
    – Drops two ransom notes: info.txt (basic) and info.hta (full GUI page); both must be deleted to avoid user panic clicks.
    – Sets a bright-red desktop wallpaper C:\Windows\System32\desktophowtorestore.bmp with stark ransom demand; resets wallpaper registry for persistence.
    – Deletes the Windows Update service (wuauserv) to hinder patch installation post-infection.
  • Broader impact
    – EEFG/STOP is the #1 consumer-facing ransomware family since 2019; >600 submitted variants (.dedk,.lokr,.eeef,…).
    – Average demand: $490 (first 72 h) → $980; mostly paid via Bitcoin; profitability keeps variant alive even with decryptor in the wild.
    – Frequently bundles the RedLine steal-er – expect credential & crypto-wallet exfil even after successful decryption; therefore assume breach and rotate all stored passwords / browser-saved cards.

Bottom line: Block RDP, patch externally facing apps, keep offline backups – three measures that would have prevented >90 % of EEFG cases reported to date. If already encrypted, start with the Emsisoft tool; even partial recovery saves money and denies ransom profit. Stay safe, patch fast, and test those backups!