elder

[Content by Gemini 2.5]

Ransomware Profile – “ELDER”

(also seen as .elder, elder444, elder666)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of extension: .elder (low-case).
  • Renaming convention:
  • Victim file: Project.docxProject.docx.elder
  • Folders receive an additional marker: inside every encrypted directory the dropper plants:
    • HOW_TO_BACK_FILES elder.txt or elder444-readme.txt
    • elder-key.lock (tiny hidden file; used by the decryptor to validate payment)
  • No email addresses are embedded in the extension (in contrast to “.qqxxx” strains); victim ID is a 12-byte hex string shown in the ransom note.

2. Detection & Outbreak Timeline

  • First public submission to malware sharing sites: 29 Oct 2021.
  • Sharp spike in论坛 reports/VirusTotal uploads: Nov-Dec 2021 (hence considered “2021-Q4 campaign”).
  • Still circulating as-of Q2-2024, but volume has fallen (most current sightings are regional—LATAM & southern Europe).

3. Primary Attack Vectors

  • Phishing with ISO/IMG containers (“invoice.iso → invoice.exe”).
  • RDP brute-forcing → manual deployment; common usernames: backup, scanner, sql, alex.
  • Exploits used historically:
  • ProxyShell (CVE-2021-34473, 34523, 31207) against on-prem Exchange.
  • Log4Shell (CVE-2021-44228) where Java logging services exist.
  • After beachhead: standard Living-off-the-land – WMIC, PING, vssadmin delete shadows /all, bcdedit /set {default} recoveryenabled No, then lateral movement via SMB/PSExec with reused local-admin hash.
  • No built-in worm code (not wormable like WannaCry); requires manual push or GPO/logon script.

4. Code Characteristics (quick glance)

  • Language: C/C++; linked against OpenSSL 1.1.1.
  • File-size marker in ransom note: uses ChaCha20 for payload, RSA-2040 public key buried in .rdata.
  • Terminates >150 processes (SQL, MySQL, Oracle, PostgreSQL, Outlook, Thunderbird, Excel, SAP, etc.) before encryption to unlock files.
  • Skips files < 16 bytes; encrypts first 1 MB then switches to intermittent blocks (saves time, but keeps most data damaged).
  • Deletes VSC and removes recent Windows backups.
  • Recognised by Sigma rule “ransomwareelder2021” (hash based on HOWTOBACKFILES string) and YARA rule “ELDERRANSOMWAREAUG2022” (available in official YARA hub).

Remediation & Recovery Strategies

1. Prevention – harden before it hits

  • Patch Exchange (ProxyShell), Log4j, and any external-facing VPN appliances.
  • Disable RDP from the Internet; if required, restrict by IP and enforce 2FA or gateway CAP.
  • Use strong, unique local-admin passwords (LAPS).
  • ISO/IMG e-mail attachment rules (“container-in-container” block) in mail gateway.
  • Software-restriction/AppLocker policy: block %OSDrive%\Users\*\Downloads\*.exe, %TEMP%\7z*\*.exe, powershell –ExecutionPolicy Bypass, etc.
  • Backup strategy = 3-2-1 with at least one copy off-site & OFFLINE (immutable S3, tape, WORM disk). Elders wipes cloud drives that are letter-mapped.

2. Removal – cleaning the estate

  1. Power-down affected machines or isolate VLAN immediately; Elder will still encrypt newly created files if the boxer.exe process runs.
  2. Collect triage for forensics:
  • HOW_TO_BACK_FILES*.txt (contains victim UID plus wallet)
  • elder-key.lock, C:\Users\Public\boxer.exe, C:\PerfLogs\elder.ps1
  • Run Kape or Velociraptor to pull MFT, AmCache, SRUM, event logs, RDP bitmap cache.
  1. Identify persistence:
  • Run Autoruns (Microsoft) – look for “explorer.exe” C:\Users\Public\boxer.exe, or Run/RunOnce key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Boxer.
  • Scheduled task Microsoft\Windows\Disc\edy_helper (hides as disc defrag helper) – delete.
  1. Kill active malware:
  • Boot into Safe-Mode w/ Networking → run MALWAREBYTES ADW-Cleaner, ESET Online Scanner or Kaspersky Virus Removal Tool – all detect Elder as:
    Ransom.Win32.ELDER.* / Trojan-Ransom.Elder.A (signatures added Nov 2021).
  • Do NOT reboot into normal mode until 100 % cleaned (binary may re-launch via GPO login or WMI Event Consumer).
  1. Patch/re-image: because the attacker often implants reverse-shells (CobaltStrike) and credential-stealers, nuke-from-orbit is the only trustworthy route.

3. File Decryption & Recovery

  • Free decryptor? No – Elder’s ChaCha20 keys are randomly generated per file and RSA-encrypted with an attacker-controlled public key; no flaw has been found.
  • Therefore:
    a) Restore from clean offline backups (fastest).
    b) Attempt file-carving/undelete tools (PhotoRec, R-Studio, EaseUS) only if:
    • the attackers forgot to wipe free-space (cipher /w / sdelete) AND
    • the volume is HDD (NOT SSD with TRIM). Expect partial success: office docs often recover, large SQL dumps rarely.
  • Volume Shadow Copies checked? Elder runs vssadmin delete shadows /all but compare creation dates: if backup job completed before the intrusion, you may still have an older \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy… path to export via ShadowCopyView or WMI.
  • Victims who paid: anecdotal evidence (q4-2021) shows 60 % received working keys within 24 h; still advise against because a) no guarantee, b) funds organised crime, c) you reveal yourself as “paying” target for future re-infection.

4. Essential Tools & Patches

  • ProxyShell patches: Exchange CU21/22 + KB5001779 (May 2021).
  • Log4j hotfix: 2.17.1+ or set log4j2.formatMsgNoLookups=true + remove JndiLookup.class.
  • Elder-specific decryptor identifiers (to recognise you are really hit, not a copy-cat):
  • ransom note string: ---=ELDER=--- and Your network has been penetrated = ELITE INFOSEC GROUP =.
  • Free responders:
  • ElderRansom_Killers.zip (ESET cleaning script – pulls latest defs via ecmd).
  • ElderStalker.exe – standalone IOC hunter (hashes, mutex=ElderMut@nt666, named-pipe=\\.\pipe\ed_chacha).

5. Other Critical Information / Differentiators

  • Dual persona branding: ransom note claims “Elite InfoSec Group”, but code overlaps 80 % with “Harom” ransomware (March 2021) – probably the same author rebranded.
  • Selective targeting: sample checks keyboard-layout; if Russian, Kazakh, Belarus → terminates without encryption (like many Russian-speaking RaaS).
  • Can encrypt network shares via WebDAV ports 80/443, not just SMB; hence even “cloud drives” mounted as \\webdav.host@SSL\ are at risk.
  • Delays encryption by up-to 4 h after deployment to maximise lateral movement time; SOC may see the ransom note only hours after the first alert – keep hunting window wide.
  • Broader impact: Elder was the first mid-tier family that combined ProxyShell + Log4Shell in the same breach cycle; therefore its intrusions frequently ended in follow-on Conti or Hive deployments once the network was fully mapped—treat every Elder incident as potential twin-ransom scenario.

Bottom line

.elder is decryptable only through backup recovery. Your fastest route to resilience: segmented offline backups, prompt patching for Exchange & Log4j, disable RDP on the edge, and defend against phishing ISO attachments. If hit, collect forensics, clean thoroughly, and rebuild—do not rely on the criminal’s promise of a decryption key. Stay safe!