everbe

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .everbe, .everbe 2.0, or (in later campaigns) .[[email protected]].everbe.
  • Renaming Convention:
    Victim files are renamed in one of two ways, depending on the campaign:
  1. Original name is kept but the extension is simply replaced with .everbe
    Example: Quarterly-Report.xlsxQuarterly-Report.everbe
  2. Address-tagged variant adds the attacker’s e-mail inside square brackets before the final extension
    Example: Quarterly-Report.xlsx[[email protected]].Quarterly-Report.everbe

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
  • First samples seen in the wild: late April 2018
  • Peak distribution window: May – August 2018; sporadic re-appearances until Q1-2019.
  • Malware-family clustering: Everbe is considered a “fork” of the-still-alive Saturn ransomware; both share >80 % code overlap.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Phishing mail with double-extension or RTF attachments. Common lure themes: “Payment copy”, “New order”, “Voice message from Avaya”.
  • Cracked-software bundles uploaded to file-sharing sites (warez, KMS-pico, Adobe cracks).
  • Brute-forced / leaked RDP credentials. Attackers manually drop the payload as C:\Users\Public\svchost.exe and execute with Rundll32.
  • No built-in network self-spreader. Once inside, adversaries perform lateral movement with PsExec / WMI to stage the executable on every reachable machine before triggering the encryption.
  • No CVE-specific exploit chain; the group relies on social engineering and credential reuse, not on SMB/EternalBlue-type worms.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures:
  • Disable RDP exposure on TCP/3389 to the Internet; enforce 2-Factor VPN for remote access.
  • Mandate that e-mail gateways strip macro-enabled Office files (.docm, .xlsm) and double-extension attachments.
  • Deploy application whitelisting (WDAC / Applocker) blocking execution from %TMP%, %PUBLIC%, or user-writable shares.
  • Patch third-party products (WinRAR ≤ 5.60, Adobe, etc.) because Everbe is frequently bundled with fake “keygens” that exploit users’ tolerance for pirated software.
  • Keep offline, versioned backups (3-2-1 rule). Everbe deletes VSS shadows (vssadmin delete shadows /all) so proxy-based snapshots (ZFS, immutable S3-ObjLock, Acronis Cyber-Cloud, etc.) are essential.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Physical or network isolation of the affected host to prevent last-stage lateral movement.
  2. Collect a triage package (MFT, EVTX, memory dump) for forensics before first reboot.
  3. Boot into Safe-Mode-with-Networking or a WinPE USB.
  4. Delete residual artefacts:
    • Executable: C:\Users\Public\svchost.exe (or path from ransom notes).
    • Autorun entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run → svcHost.
    • Scheduled task EverbeService if one is present.
  5. Run a full scan with an offline AV rescue disk (Kaspersky, ESET, Windows Defender Offline) to remove any dropped backdoors (Kpot, Aundo, or Dridex often accompany Everbe).
  6. Patch credentials: force AD password reset for every account logged on during the incident; analyze NTDS.dit for evidence of credential dumping.

3. File Decryption & Recovery

  • Recovery Feasibility:

  • No flaw exists in Everbe’s Salsa20 implementation; therefore no free universal decryptor is available.

  • Under limited circumstances partial recovery is possible:

    • If the campaign used a hard-coded key (a few early builds) you can test the Saturn-Everbe decryptor tool released by Emsisoft (v2018-07-03) against a dummy copy of encrypted data.
    • ShadowExplorer or PhotoRec can retrieve small Office auto-saves or cached files that escaped the deletion routine.

  • Otherwise the only guaranteed route is restore from offline backups or negotiate with the actor (not recommended; payment does not always yield a working key).

  • Essential Tools/Patches:

  • Emsisoft-Saturn-Everbe-Decrypter (for early variants with leaked keys).

  • Kaspersky RannohDecryptor (does NOT support Everbe but useful for cleaning up prev. ransomware clusters).

  • MS17-010 and current cumulative patches (nevertheless, Everbe rarely uses SMB exploits, patching is still good hygiene).

  • Sysinternals Autoruns, Velociraptor, or GRR for enterprise-wide artefact hunting.

4. Other Critical Information

  • Additional Precautions (what makes Everbe different?):

  • Installs a second-stage stealer (Kpot, Arkei) to exfil browser / crypto-wallet data before encryption; assume data-breach disclosure obligations.

  • Drops ransom notes: !=How_recovery_files=!.txt and readme.txt. Inside you find the static TOR url hxxp://kdvm5fd6tn6jsbxtq[.]onion and an e-mail address (changes each campaign).

  • Self-delete after 32-bit execution; 64-bit payloads stay resident – inspect both architectures.

  • Large-file logic: skips only *.exe, *.dll, *.sys inside %WINDIR% – virtual-disk (*.vmdk, *.vhd) and SQL / Oracle data files are encrypted, so VM-level snapshots are not sufficient.

  • Broader Impact:

  • Everbe was overshadowed by bigger 2018 families (GandCrab, SamSam), yet it still hit dozens of SMBs in EU and LATAM, especially local governments who fell for the fake “income-tax refund” lure.

  • Highlighted the cracked-software vector; many victims confessed to using pirated engineering tools, reminding organizations that “shadow-IT installs” remain a top entry point for commodity ransomware.

  • Because Everbe’s operators frequently re-package Saturn’s builder, the family continues to pop up in one-off campaigns – keeping IOC hunting and offline backups relevant long after the original wave.

Bottom line: If you find files bearing .everbe and no recent, detached, tested backups, treat the situation as a full rebuild + potential credential-breach scenario rather than a straightforward decrypt-and-go recovery.