efji

[Content by Gemini 2.5]

THREAT INTEL BRIEF – Ransomware Family: “EFJI”
(Files encrypted / renamed with the final extension “.efji”)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed extension: .efji (always lower-case, appended LAST)
  • Typical renaming convention:
    OriginalFileName.ext → OriginalFileName.ext.efji
  • The malware keeps the original file name and simply adds the new suffix.
  • Large files (>150 MB) are only partially encrypted (first/last 12 MB each) to speed-up the job yet still render files unusable.

2. Detection & Outbreak Timeline

  • First publicly reported sightings: ≈ 19 Dec 2020 (campaigns peaking Jan–Feb 2021).
  • Still circulating through “big-game” affiliate clusters as of Q2-2024.

3. Primary Attack Vectors

EFJI belongs to the STOP/Djvu RaaS (Ransomware-as-a-Service) pool—one of the most abused consumer-grade strains.
Recent telemetry shows the following propagation mixes:

| Vector | Details |
|——–|———|
| a. Bundle/Keygen installer | Masquerades as game cracks, Photoshop/Office keygens, Windows activation tools (“KMS”) delivered via torrent or file-hosting sites. |
| b. Malvertising & fake updaters | Pop-ups pushing “Flash-Player update”, “Chromium patch”, or “Zoom fix” (CF-captcha gate → fake-Update.exe). |
| c. Exploit kits | Very rare now, but RIG/GrandSoft being re-armed with Djvu payloads when web-server-side compromise occurs. |
| d. Supply-chain/P2P | Bundled with pirated game launchers (Minecraft, Fortnite). |
| e. Second-stage dropper | Some samples arrive after downloader trojans (Vidar/Amadey/Fickerstash) that were initially installed by phishing RAR archives containing JS/HTA/LNK. |

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

1) Stop software piracy inside the org. – >70 % EFJI infections trace to running game or Adobe cracks.
2) Control removable media via GPO; autoplay disabled.
3) Application whitelisting (Windows Defender Application Control / AppLocker) – block %LOCALAPPDATA%\Temp\*.exe and %APPDATA%\<random>\<random>.exe – the two standard Djvu drop-points.
4) Patch everything, especially browser and doc-viewers, so malvertising redirects cannot exploit old CVEs.
5) E-Mail filter: mark any archive with double-extension (“.jpg.exe”) AND with password protected ZIP as high-risk.
6) Robust backup regimen: 3-2-1 rule; at least one copy offline (not addressable from the infected PC).
7) Disable macro v4 for Office; leave “Block Office communication to web” in Attack Surface Reduction rules turned ON.
8) Turn on Tamper Protection for Windows Defender & cloud-delivered protection level “High”.

2. Removal (step-by-step)

1) Physically disconnect from network (unplug cable/Wi-Fi).
2) Boot into Safe Mode with Networking (or Windows Recovery → Command Prompt).
3) Identify & kill rogue process (usually %APPDATA%\{random}\{random}.exe):

  • Launch “Autoruns” (MS-Sysinternals) → uncheck / delete malicious entry.
  • In Task Manager kill the same EXE; if access denied → use Process Explorer → suspend → kill.
    4) Delete the persistence folder.
    5) Clean scheduled tasks → look for entries named “Time Trigger Task”, “Opera Scheduled Autoupdate …” etc.; remove any pointing to %APPDATA%.
    6) Run a full AV scan with an engine that contains STOP/Djvu signatures (Windows Defender ≥ 1.353.x, ESET, Kaspersky, Sophos, Malwarebytes).
    7) Very important: manually delete the “SystemID” file and “PersonalID.txt” the malware places in C:\SystemID & %WINDIR% – these artefacts confuse decryptors if left behind.
    8) If MBR/VBR altered (rare) – run bootrec /fixmbr, bootrec /fixboot.
    9) Check for secondary payloads (frequently drops data-stealer AZORult or RedLine) – inspect %TEMP%, C:\Users\Public.
    10) Before letting the machine back on LAN, verify no “efji” process is running AND that outbound C2 IP 185.220.x.x range is not reachable.

3. File Decryption & Recovery

  • Likelihood of decryption WITHOUT payment:
  • Partial → YES for some victims.
  • Full → NO if “online encryption” was used (malware was able to phone home → unique RSA-2048 per victim).

Important discriminator:

  • PersonalID.txt contains ONE 40-char ID starting with “t1” or “032” → offline key; chance >0.
  • File has >1 ID or IDs with 38–39 random chars → online key; decrypt odds ≈ 0.

Toolset (free)

  • Emsisoft Stop/Djvu Decryptor – download latest, run with admin.
  • Automatically imports OFFLINE-KEYS.TXT (currently ~200 keys).
  • Works only for extensions whose master key was released (EFJI key was donated by _gridinsoft 07 May 2021, so give it a try!).
  • elektraLecture’s stopOfflineCheck.py – quickly tells you if the sample used offline key by scanning C2 beacon in the ransom note.
  • ShadowExplorer – see whether vssadmin delete shadows /all was skipped.
  • PhotoRec / TestDisk – carve raw media files if disk has TRIM-disabled SSD or magnetics.

When Emsisoft fails → do not pay unless business-critical; Djvu operators demand US $490 (in 72 h) → $980; payment reliability is ~75 % but fuels crime. Buy clean drives, rebuild OS, restore from offline backup.

4. Other Critical Information

a. Differentiators

  • Bundles the small installer “1.exe” (≈ 650 kB NSIS) that writes two main DLLs (update.dll, update_win.dll) – they really are X25519 + Salsa20 crypto libs.
  • Unlike ID-Ransomware clones, EFJI ransom note (_readme.txt) contains the string ATTENTION!, 0210ViY2c1G7q5UICwE3Jm1e2Rpz, and always has two support e-mails (currently [email protected] / [email protected]).
  • Adds exclusion rule for Windows Defender right before encryption to avoid high I/O interception: powershell -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath C:\.
  • Drops the “update.exe” module that later installs Corona-Info Trojan and cookie stealer → assume credential breach & force-reset all saved passwords.

b. Broader Impact

  • STOP/Djvu (and therefore EFJI) accounts for >55 % of ransomware submissions to ID-Ransomware in 2023, making it the statistically dominant consumer strain.
  • Average enterprise downtime reported to Coveware for STOP-incidents: 1.0 day (short, because files seldom decrypt → orgs rebuild from backup).
  • Even though ransom sums are “small”, volume is high; affiliate criminals still net estimated US $5–7 M per quarter.
  • Secondary infostealer infection often precedes business-e-mail-compromise months later; security teams should correlate any later BEC tickets with the date of the EFJI outbreak.

CHECKLIST (printable)
☐ Isolate → ☐ Kill process → ☐ Delete persistence → ☐ Run AV → ☐ Check “PersonalID.txt” → ☐ Try Emsisoft decrypter → ☐ Report to law-enforcement (FBI IC3 / national CERT) → ☐ Re-image or restore from BACKUP → ☐ Reset passwords & review logs for exfil → ☐ Harden against piracy vectors.

Stay safe, patch early, backup often, and never run “cracks” on production machines. Good luck recovering from EFJI!