eject

[Content by Gemini 2.5]

Ransomware Dossier – “.eject” (Eject Ransomware)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact file marker: .eject (lower-case, appended directly after the original extension)
    Example: Invoice.xlsxInvoice.xlsx.eject
  • No e-mail address or victim-ID is injected into the filename – the only change is the final extension.
  • Ransom-note name: README_TO_RESTORE.txt (dropped in every folder and on the desktop).

2. Detection & Outbreak Timeline

  • First public submission: 11 May 2023 (MalwareBazaar, IDHASH: 27f94…).
  • Peak distribution window: May-June 2023 (multiple mal-spam waves).
  • Still circulating as of Q2-2024, albeit at a lower volume.

3. Primary Attack Vectors

  1. Mal-spam (≈70% of infections)
    – ZIP attachments containing ISO or IMG optical-disk images.
    – LNK or BAT file inside the image launches PowerShell to fetch the DLL payload.
  2. Pirated-software bundles & warez torrents (≈20%)
    – Fake “crack” for Adobe CC/Windows activators that side-loads the same DLL.
  3. Exploitation of internet-facing services (≈10%)
    – Leverages harvested RDP credentials bought on Russian marketplaces.
    – No evidence of worm-like SMB/EternalBlue behaviour – human-operated lateral movement only.

Internal designation: “Phobos-family spin-off” – uses the common Phobos crypter but substitutes its own extension and ransom note. The code is notable for terminating 280+ predefined Windows services (incl. VSS, SQL, MySQL, Oracle, Acronis, EDR agents) before encryption to maximise damage.

Remediation & Recovery Strategies

1. Prevention (apply in order of ROI)

  • Disable ISO/IMG auto-mount via GPO (Windows 10/11) – neuters most mal-spam chain.
  • Application whitelisting (Microsoft Defender ASR rule: “Block executable files running from email inside container files”).
  • Network segmentation + RDP gold-image with enforced 2FA/CAP; close 3389 from the Internet.
  • Patch publicly exposed software (VPN appliances, IIS, Exchange, Citrix) – still the entry point in follow-on manual attacks.
  • EDR in “block” mode with behaviour rules for:
    vssadmin delete shadows /all
    bcdedit /set {default} recoveryenabled No
    – PS-nested cmdlets like Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }
  • Immutable, off-site backups (3-2-1 rule) – currently the single fastest recovery path; Eject leaves Windows VSS unusable.

2. Removal / Incident-Cleanup Workflow

  1. Power down the infected machine(s) ➔ boot from a clean USB WinPE.
  2. Run an offline antivirus scan (Kaspersky Rescue Disk, ESET SysRescue, or Bitdefender Rescue).
  3. Once the malicious DLL (PureLocker.{random}.dll, Eject.dll, sometimes camouflaged as oci.dll) is quarantined:
    a. Disable the malicious Run/RunOnce registry entry under:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pure
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\P
    b. Re-enable Windows services that were turned off (compare to a known-good “services.txt”).
  4. Patch the entry vector (reset breached AD account, patch the exploited hole).
  5. Restore production systems only after you have verified network isolation and a clean backup.

3. File Decryption & Recovery

  • No free decryptor exists – Eject uses AES-256 (file key) → RSA-2048 (attacker public key). Keys are generated per-victim and transmitted to the C2 before on-disk overwrite.
  • Recovery therefore depends entirely on:
    – Clean, tested, offline backups (fastest, cheapest).
    – For small numbers of critical files: check Volume Shadow Copies (rarely intact after the service wipe, but worth a try) or Windows “File History”.
    – Negotiation + payment is NOT advised (law-enforcement sanctions, double-extort risk, no guarantee).
  • No know tool will brute-force the RSA-2048 layer in a realistic time-frame.

4. Other Critical Information, IOCs, and Red-flags

  • Ransom demand: 0.03-0.09 BTC (≈ USD 800–2,500) addressed to a static wallet; e-mail contacts: [email protected] and [email protected] (look for these strings in the ransom note).
  • Data-exfil flag: note contains the sentence “We have downloaded more than 200 GB of your corporate data” – supports double-extortion pages on TOR (http://ejectblog56hbe3oe5onxtpx555apk5d……). However, no confirmed leak site activity after October 2023; possibly defunct.
  • Differentiator from Phobos:
    – Extension is single .eject (Phobos variants use multi-part such as .phobos, .actor, .blend).
    – The service-kill list is twice as large (≈ 280 services vs 140).
    – Does not append the victim-ID to filenames.
  • Wider impact: highest number of successful hits on South-American manufacturers (MX/BR/AR) but no geographic restriction – waves seen in EU and APAC as well. 35% of victims were <250 seats, illustrating that mid-market organisations continue to under-invest in e-mail filtering and immutable backups.

TL;DR Cheat-Sheet

  • Extension added: .eject
  • Family: Phobos fork – no public decryptor.
  • Kill VSS / 280 services / mostly via ISO-in-zip mal-spam.
  • Recovery = clean backups; no realistic decryption alternative.
  • Block ISO auto-mount, enable ASR rules, segment RDP, keep offline backups.