escovinda

[Content by Gemini 2.5]

Technical Breakdown & Recovery Guide – “Escovinda” Ransomware

(file marker: “.escovinda”)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .escovinda
  • Renaming convention:
  • Plain file → <original_name>.<original_ext>.escovinda
  • Example: Quarterly-Results.xlsx becomes Quarterly-Results.xlsx.escovinda
  • No e-mail or ID string is inserted, so all victims hit by the same build receive an identical-looking extension
  • Folders receive a plain-text note HOW_TO_RETURN_FILES.txt; no desktop wallpaper is changed

2. Detection & Outbreak Timeline

  • First public submission to malware repositories: Mid-December 2023 (SHA-256 b0d9…12e7)
  • Rapid SMB-drive opportunistic waves observed: January–February 2024
  • Still circulating in-the-wild as of April 2024; no large-scale rebranding observed yet

3. Primary Attack Vectors

  • Exploitation of un-patched MS-SQL servers (targeting CVE-2020-1472 “Zerologon” + weak sa password for privilege escalation)
  • Living-off-the-land lateral movement via SMB/PSExec once SQL host is compromised
  • Secondary drop via phishing (ISO/IMG e-mails containing BAT → PowerShell stager) – usually seen in Portuguese-language lures (“Nota fiscal – prefeitura.pdf.iso”)
  • Optional RDP brute-force when TCP/3389 is externally open (post-infection, not the original ingress)

Payload drops in:
%ProgramData%\WindowsTask\escovinda.exe (64-bit UPX-packed, ~670 kB)
After execution:

  • Deletes shadow copies via WMI
  • Stops SQL, Exchange, VSS, MySQL, MSSQLServerADHelper100, backup services
  • Encrypts with ChaCha20 (per-file key) → key encrypted by RSA-2040 (attacker public key embedded)

Remediation & Recovery Strategies

1. Prevention

  1. Patch Windows servers immediately against Zerologon (CVE-2020-1472) and SQL privilege-escalation CVE-2020-0618 / CVE-2021-1636
  2. Enforce 14-character-plus complex SQL sa account passwords; move SQL off port 1433 to a non-default high port; enable SQL audit logging
  3. Disable SMBv1 everywhere; enable Windows Firewall default-deny rule for TCP 445 egress from SQL servers
  4. Use LAPS for local-admin password randomisation; place Domain Admins in “Protected Users” (no NTLM, no RDP)
  5. Macro/ISO execution controls:
  • Block image-file (ISO, IMG, VHD) execution from e-mail in Microsoft 365 / G-Suite
  • Set ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” to Audit/Block
  1. Application allow-listing (WDAC / AppLocker) forbidding unsigned binaries in %ProgramData% and %TEMP%

2. Removal (manual or scripted)

  1. Physically isolate the machine from LAN (pull cable / disable Wi-Fi)
  2. Collect a memory dump (for law-enforcement/forensics) if possible before shutdown
  3. Boot into Safe Mode with Networking
  4. Delete persistence:
  • Scheduled Task: \Microsoft\Windows\WindowsTask\EscovRunOnce%ProgramData%\WindowsTask\escovinda.exe
  • Run Keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WindowsUpdate" = %ProgramData%\WindowsTask\escovinda.exe
  1. Remove malicious service (short name WUTask) created via sc.exe create
  2. Manually delete %ProgramData%\WindowsTask\ and %Temp%\autoit*.tmp files
  3. Run a current signature engine (Defender, ESET, Kaspersky, Sophos) full-scan to delete the final sample
  4. Cross-check SQL stored-procedures – actors often install xp_ sewage wrapper procedures for redrop; drop anything undocumented

3. File Decryption & Recovery

Statistical status (April 2024):

  • Escovinda’s private RSA-2040 is NOT publicly available
  • No flaw / keystream reuse has been identified so far in ChaCha20/rsa hybrid implementation
    => OFFLINE decryption therefore impossible without paying the criminal group (not recommended)

Free recovery paths:

  1. Restore from offline/ immutable backups (Veeam Hardened Repo, AWS S3 Object-Lock, Azure immutable blob, tape)
  2. Leverage Volume Shadow Copies if attacker script failed (run vssadmin list shadows) – unlikely if script finished successfully
  3. Look for overlooked local “bak”, “old”, “tmp” copies (ransomware only walks common user-extension lists)
  4. Check e-mail OST/PST, SharePoint Online, OneDrive, Dropbox etc. for cloud-synced revisions
  5. Windows “File History” (Win8+) or Mac TimeMachine repositories mapped as network drives – often missed

Tools & patches specifically relevant:

  • Zerologon validation script: “Zerologon-Testing” (GitHub Secura) before any rollback
  • MS defender signature update 1.403.151.0+ detects as Ransom:Win64/Escovinda.A
  • Kaspersky KLARA scanner (open-source) SMB rule set to detect escovinda.exe library imports

4. Other Critical Information

Distinguishing traits:

  • Small but swift – entire encryption of a 4 TB SQL volume observed in 19 min (multithreaded ChaCha20, SMB parallel queues)
  • No data-exfiltration stage encountered in current builds (no Tor callbacks, no MEGASync uploads); so “double-extortion” leaks have not yet been reported
  • Note language artifact: ransom message written in Brazilian Portuguese (PT-BR) with Google-translate English copy “Buy decryptor here 1 BTC”, but BTC wallet addresses are re-used per campaign, enabling easy cluster attribution
  • Target geography: Brazil, Mexico, Portugal, followed by any reachable SQL server worldwide after January 2024
  • Because the malware lacks obfuscation beyond UPX, YARA hunting rule is trivial – look for embedded string “ESCVINDA-V135” plus RSA blob beginning at offset 0x32500

Broader impact:
Escovinda demonstrates how quickly a “single-purpose” ransomware compiled with open-source crypto libraries can weaponise high-impact domain-control exploits. Its use of MS-SQL as the initial beach-head circumvents many organisations’ “workstation-centric” EDR positioning. Patch cadence for server-side software and strict SQL hardening remain the decisive defenses.

Stay safe – test your restores regularly, and treat any “.escovinda” sighting as a full-domain incident until proven otherwise.