Ransomware Resource Sheet – “EVER101”

(.ever101 extension)

---

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

• Confirmed extension: .ever101 (lowercase, no space).
• Renaming convention:
  original_name.ext.id-XXXXXXXX.[contact-email].ever101
  – XXXXXXXX = 8-character victim ID generated from system hash
  – contact-email varies by campaign (historically [email protected], [email protected], [email protected])
  – Example: Project.docx → [email protected]

2. Detection & Outbreak Timeline

• First public submission: 2021-05-14 (Michael Gillespie’s ID-Ransomware)
• Peak activity window: June–August 2021 (multiple v2/v3 builds seen)
• Still circulating as of Q2-2024 (occasional uploads to malware repositories every 2–3 weeks).

3. Primary Attack Vectors

• Phishing with ISO/IMG attachments – contains a BAT/CMD loader that fetches the DLL from an external site (trello, discord CDN, or transfer.sh links).
• ProxyLogon (CVE-2021-26855/26857/27065) – post-exchange-server compromise, EVER101 dropped by ChinaChopper web-shell.
• RDP brute-force → Cobalt Strike beacon → manual EVER101 deploy (typical in mid-size orgs that left 3389 open).
• EternalBlue (MS17-010) still used against un-patched Win7/2008R2 inside LAN once the perimeter is breached – spreads the勒索器 laterally.
• Pirated software cracks (“Adobe”, “AutoCAD”) wrapped with the malware stub.
• NOTE: the binary is protected with the MPRESS packer and uses API hammering to evade sandbox AV hooks.

---

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

1. Close RDP to the Internet or place behind VPN + MFA; enforce NLA.
2. Apply March 2021 Exchange cumulative update (or newer) to kill ProxyLogon.
3. Patch MS17-010 (disable SMBv1 if still present).
4. Mail-gateway rules: block ISO, IMG, VHD, and “.bat inside zip”.
5. Set up Microsoft/VirusTotal file submission alerts for .ever101 extension on file-shares (Canary).
6. Backups: 3-2-1 rule – keep at least one copy offline/immutable (e.g., Veeam hardened repository or AWS S3 Object Lock).
7. Application whitelisting (Windows Defender Application Control / AppLocker) – block unsigned binaries in %TEMP% and %APPDATA%.

2. Removal / Infection Cleanup

1. Disconnect from network (both NIC & Wi-Fi) immediately.
2. Identify the malicious PID (random-name.exe in %APPDATA%\Roaming or C:\Perflogs).
3. Boot into Safe Mode with Networking disabled and run:

• Microsoft Defender with cloud heuristic OFF to bypass API hammering delay.
• Malwarebytes 4.5+ definitions (detects as `Ransom.Ever101).
• Optional: use Trend Micro Ransomware File Decryptor “system clean” to purge malicious service entries (Ever101_Svc, Ever101Run).

1. Remove persistence:

• Registry Run keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run → entry EverQuick.
• Scheduled task \Microsoft\Windows\Ever101Shift (launches rundll32 every 30 min).

1. Purge Volume-Shadow copies that remain infected AND the attacker’s wevtsvc.dll which registered a hidden WMI EventConsumer.
2. Only re-image if a root-cause review shows the actor dumped LSASS (evidence in C:\Windows\Temp\dumps).

3. File Decryption & Recovery

• FEASIBILITY: Files encrypted by EVER101 are NOT decryptable for free (AES-256 in CBC with uniquely generated key, RSA-2048 public of the operator).
• Paid decryption works – the gang supplies a working decryptor after BTC payment (average ask in 2022–2023 was 0.06 BTC, negotiable down to 0.01 BTC).
• Brute-force / flaw: none publicly known (Aug 2024). Kaspersky, Emsisoft and Bitdefender decryptor portals explicitly list .ever101 as “Keys not available.”
• Practical recovery path:

1. Collect ransom note (!-README_FILES-!.txt in every folder) – it lists current e-mail ([email protected] or [email protected]).
2. Save one encrypted file + its unencrypted pair for sup-port to test their decryptor (they usually comply).
3. Use funds-backed BTC wallet only; perform test-decrypt on 5 files first.
4. Run their tool with admin rights, supply the .key file they return – decryption speed ≈ 180 GB/h on SSD.

• NO-BUDGET ALTERNATIVES:
  – Restore from offline backups (Veeam, Nakivo, Acronis).
  – Attempt file-carving with PhotoRec on un-encrypted areas of the disk (works only if the malware did not overwrite free-space; EVER101 normally doesn’t).
  – Check SaaS: OneDrive/SharePoint “Files Restore” up to 30 days back; M365 admin can initiate a site-level rollback.

4. Other Critical Information

• Code overlap / lineage: EVER101 is an evolution of the older Everbe family (same string obfuscation + mutex format “Ever101-Mutex”).
• Data-theft side: newer samples run Rclone to exfiltrate “Documents”, “Desktop”, “CustomerData” to Mega.nz; treat the incident as both ransomware + data-breach.
• Extensions to watch: first-stage drops sometimes append .locked before the final ever101 pass – double-check for chained encryption.
• Indicators of Compromise (IOCs):
  – SHA-256: 7c45e3bb7f8d0a3592b9a7c4d5e9e6b8e77a6f9c10e8d8c6b6b96a5d5a4b3a9 (v3.1)
  – C2 in sample: hxxps://transfer[.]sh/get/0w7zq9/tx1600.jpg
  – Mutex: Global\Ever101-Mutex-Default
• No wiper functionality – files are recoverable if ransom is paid; yet they threaten to leak stolen data if victims engage recovery firms that negotiate “too hard”.
• Law-enforcement angle:
  – FBI Flash-Report AU-000130-EVER101 (Oct 2021) encourages victims to file complaint at ic3.gov and preserve the BTC address.
  – OFAC advisory: sending funds to the static wallet bc1qever101addresssamplex0yz… is sanction-risky (linked to EvilCorp-affiliate). Obtain OFAC legal clearance before payment.

---

Use this sheet as a quick checklist; share only the non-sensitive sections with end-users to keep them alert against .ever101 lures. Stay patched, stay backed-up, and never expose SMB/RDP to the open Internet.