Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension: .eternal (lower-case, appended right after the original extension → invoice.xlsx.eternal).
Renaming Convention: The malware preserves the original file name and simply concatenates “.eternal”. No e-mail address, random hex-string, or campaign-ID is inserted into the name (a trait that helps spot it quickly in large file-shares).

Approximate Start Date: First submissions to public sandboxes and ID-ransomware appeared late-February 2021; widespread opportunistic campaigns peaked March–May 2021 and another wave was observed in December 2022.

Propagation Mechanisms
Phishing with ISO, ZIP or password-protected Office docs that launch a malicious HTA → PowerShell stager.
External-facing RDP brute-forced or bought from “access brokers,” followed by manual deployment of the Eternal-binary.
Exploitation of un-patched public-facing applications (Telerik UI, Log4j, Atlassian Confluence OGNL) to drop the payload.
Once inside, lateral movement via WMI / PsExec and theft of credentials for domain-wide deployment (no worm-like SMB exploit code comparable to WannaCry has been observed).