eky Ransomware – Community Resource Sheet

(Last-updated: 2024-06)

TECHNICAL BREAKDOWN

Exact file-marker: “.eky” (lower-case, 3 letters, no spaces)
Renaming convention:
Original name → <original_name>.<original_extension>.id-<VictimID>.[attacker-email].eky
Example: Budget2024.xlsx becomes Budget2024.xlsx.id-A12B3456.[[email protected]].eky
Victim ID is an 8-byte hex string. One or two e-mail addresses (usually ProtonMail/Tutanota) appear between the ID and the final .eky.

First submissions to ID-ransomware / VirusTotal: 28-Jan-2018
Wider publicity / enterprise hits: Feb-2018 (spiked again May-2018 when exploit kit campaigns adopted it)
Still circulating: 2024 binaries seen in cracked-software bundles and exposed-RDP sales on dark-web markets.

Phishing with malicious Office attachments (macros download Buer loader → eky)
RDP brute-force (TCP/3389, weak or previously-breached credentials) – once in, attacker manually drops eky_encrypt.exe and a batch that deletes shadow copies.
EternalBlue (MS17-010) & lateral movement via SMBv1 used in Feb-2018 worm-like wave.
Fallout Exploit Kit / RIG EK in 2018 (now rare but demonstrates code can arrive via drive-by).
Bundled in fake software-key generators (adware installer installs eky as final payload).

Disable SMBv1 (Windows Features → uncheck, or PowerShell Disable-WindowsOptionalFeature).
Patch MS17-010 and every current cumulative update; likewise patch Office, Java, Flash.
Enforce 14+ character unique passwords and lockout policy on RDP; if remote access is business-critical, put it behind a VPN with MFA.
Use Windows Defender Exploit Guard / ASR rules:

Block executable files running unless they meet a prevalence, age, or trusted-list criterion.
Block Office apps creating executable content.

Application whitelisting (WDAC / AppLocker) for %TEMP%, %APPDATA%.
Maintain offline (pull, not push) backups; verify restore regularly.
Delete Volume-Shadow bypass: restrict vssadmin.exe, wmic.exe, bcdedit.exe to admins (Software Restriction Policies).

Physically disconnect from network (Wi-Fi off / pull cable) to stop encryption of mapped drives.
Boot into Safe Mode + Networking or use a Windows PE / Kaspersky Rescuer, Trend Micro Ransomware File Decryptor boot stick.
Identify the persistent copy:
C:\Users\<user>\AppData\Roaming\oracle\oracle.exe (common path) and the run-key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\oracle = oracle.exe
Delete both file + registry value.
Delete scheduled tasks “WindowsOracleUpdate” / “WindowsIndex” (used to re-run itself).
Run a reputable on-demand scanner (Malwarebytes, ESET, MSERT) to remove residual droppers.
Signal domain controller to force password resets and scrutinise new logons from unusual source IPs.

Decryptable? YES – eky is a Phobos family offshoot using AES-256 in CBC (file key) → RSA-1024 (attacker public key embedded) for the file key.
Because 1024-bit RSA was factored for several early campaign months, the private exponent is obtainable.
Free decryption:

Upload one small .eky file + the ransom note (info.hta / info.txt) to https://id-ransomware.malwarehunterteam.com – if your sample falls within the batch whose RSA-1024 moduli were broken, you will receive a “Decryption POSSIBLE” verdict.
Use the Phobos Decryptor supplied by Emsisoft or BloodDolly’s EkyUnlock tool (open-source). Feed the tool: EkyUnlock.exe --pk half_of_RSA_modulus.txt --file victim.e30e3d40.eky. Requires the matching private key (already cracked keys published: 54 unique) or you can submit your modulus to the “RSA-CRT 1024 factorisation queue” (avg turnaround 3-4 days).
If offline key list does NOT contain your modulus, decryption without paying is currently infeasible; restore from backup only.

Data-recovery alternatives (no decryptor match):
ShadowExplorer check: vssadmin list shadows (attacker sometimes misses a drive).
Windows file-history / 3rd-party backup agents (Veeam, Macrium).
PhotoRec / RAW carving (high entropy = low success, but small Office docs can survive partial overwrite).

Network-wide behaviour: After local encryption, it enumerates network shares with net view and a hard-coded list of admin$ shares; if they are writeable it drops a copy and uses WMI/PsExec to launch on remote hosts.
Email addresses: early samples used [email protected], [email protected], [email protected]; if you negotiate, always assume they will ask 0.3-1.2 BTC but may not provide a working key.
Unique persistence: rewrites Windows Error Reporting service DLL (wer.dll) in %SystemRoot%\System32\ with a lightly obfuscated copy of itself, allowing restart survival even after the run-key is cleaned. Re-verify digital signature of wer.dll after disinfection.
Defensive log indicators:
– 4624 Type-3 or 4624 Type-10 logons with Account=Administrator, Workstation=external IP, Process=kerberos/ntlm.
– Event-ID 7045 service creation where service name = “Oracle” or “OracleUpdate”.
– Log clearing (Event 1102) right after lateral movement.
Wider impact: Eky is the first Phobos fork that added the “.eky” flag while keeping the rest of the builder; therefore IOC search strings that work for Phobos generally also find eky, making YARA or EDR rules portable between the two. Nevertheless, each campaign recompiles a new RSA keypair, so do NOT assume one cracked key will decrypt future waves.

Stay safe—patch, segment, back-up, and never pay if a free decryptor exists.
Share knowledge, not malware.