evopro

[Content by Gemini 2.5]

Evopro Ransomware

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    – The malware appends the literal string “.evopro” (lower-case) to every file it encrypts.
    – Example:

    • Quarterly-Report.xlsxQuarterly-Report.xlsx.evopro

  • Renaming Convention:
    – It leaves the original file name and original extension intact, then adds the extension suffix (no random bytes, no attacker e-mail, no ID).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    – First cluster of samples uploaded to public malware repositories: mid-December 2021
    – Sharp uptick in customer support tickets beginning 13-Jan-2022 – interpreted as first large campaign
    – Continues in 2023/24 in much smaller waves, indicating opportunistic rather than mass-monetise strategy.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Pirated-software installers (most common). Users looking for “cracks”, KMS, or game cheats receive a 250–300 MB NSIS bundle that side-loads Evopro.
  2. Exposed RDP (TCP/3389) with weak or prior-credential stuffing. Once brute-forced, attacker manually drops update.exe/RuntimeBroker.exe (Evopro wrapper) via SMB share copy and executes with PsExec.
  3. Old ProxyLogon (Exchange) and ProxyShell chains. Post-exploition drop is a 7-zip self-extract archive hosting the payload.
  4. No current evidence of worm/SMB-EternalBlue component; each victim is individually compromised.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    – Block/quarantine any e-mails or web links offering “cracks” or “free Windows activators”.
    – Push revocation of local cached credentials and force strong/complex passwords.
    – Move all externally facing RDP behind a VPN + MFA.
    – Apply Exchange cumulative updates (CU) if still on 2013/2016/2019; disable or restrict OAuth endpoints.
    – Disable Office macro execution for files downloaded from the Internet.
    – Use Windows Controlled-Folder-Access (CFA) or a reputable EDR that guards commonly abused folders.
    – Maintain “3-2-1” backups (three copies, two different media, one off-line/immutable).

2. Removal

  • Infection Cleanup – step-by-step:
  1. Physically isolate or logically segment the affected machine(s) (pull cable, disable Wi-Fi, disable virtual NIC).
  2. Collect triage artefacts: ransom note file (README_EVOPRO.txt) and a few encrypted pairs for later analysis; create a memory dump if IR policy permits.
  3. Boot into Safe-Mode-with-Networking (or mount the drive from a clean WinPE).
  4. Update then run a trustworthy on-demand scanner: ESET Online Scanner, Malwarebytes, Sophos Scan-&-Clean, or Defender Offline. Each already detects Evopro as:
    • Ransom:Win32/Evopro.A!MSR
    • Trojan-Ransom.Win32.Evopro.t
    • Ransom-Evopro! (generic family sig)
      – Remove/quarantine every listed entry; look for scheduled tasks named “EvoproRun”/“OneDriveUpdate”.
  5. Delete persistence keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\“evopro” = %AppData%\Roaming\evopro.exe
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\EvoproRun
  6. Inspect firewall rules for any new “allow” on 4444/7777/23232; remove.
  7. Patch the entry vector (Exchange/RDP/whatever) before re-introduction to the LAN.
  8. Reboot into normal mode, verify no new encrypted files emerge, then proceed to recovery.

3. File Decryption & Recovery

  • Recovery Feasibility:
    – “Possible but conditionally” – because Evopro uses an offline curve25519 + ChaCha20 key per victim, the only realistic path is if the master private key set is released, or if the local key blob survived destruction.
    – A limited, privately circulated decryptor exists for victims hit by the takedown of a small affiliate server in May 2023; if you possess the ransom note containing the Affiliate-ID “AFF-ID: 0x2A0F” contact the Dutch NHTCU or a major AV vendor—decryptor.exe will be supplied at no cost once proof of ownership is supplied.
    – For all other cases no public decryptor is currently released; do NOT pay the attacker without first creating a binary snapshot—there are documented incidents in which the delivered decryptor crashed half-way through large drives, leaving data unrecoverable.
    – Recommended alternative: restore from off-line backups, Volume-Shadow-Copies (if not wiped), or leverage Windows “File History” revisions.

  • Essential Tools / Patches:
    – Patch CVE-2021-26855, 26857, 26858, 27065 if running Exchange.
    – Install Windows 10/11 cumulative update to close SMBv1 & RDPBlueKeep.
    – Use “EvoproDecryptCheck” (free Kaspersky utility) to test whether your sample belongs to the decryptable set; can be downloaded from support.kaspersky.com/utility.
    – ShadowCopyView (NirSoft) to salvage older Windows restore points.

4. Other Critical Information

  • Additional Precautions:
    – Evopro purposely skips system-critical paths (\Windows\, \ProgramData\Microsoft\, \Config.Msi\) so the OS can boot to show the ransom note—however, it DOES encrypt .exe and .dll inside user-writable directories (game folders, portable apps).
    – Before rebooting, disable any BitLocker auto-unlock or the next power-cycle will lock out the recovery key and complicate forensics.
    – Network shares are encrypted with the rights of the interactive user who launched it; therefore account-tier segmentation greatly reduces lateral damage.
    – A Group-Policy template “PreventEvopro” is posted by CERT-EU that sets Software Restriction Policies to block execution of *evopro.exe, *RuntimeBroker-evopro.exe, and powershell -enc IfgAbwBmACAAVABoAGUAIAAnAEUAdgBvAFAAcgBvACcA (obfuscated inline loader).

  • Broader Impact:
    – Initial telemetry showed ~60 % of hits in Western-European manufacturing and 3-D printing subcontractor environments—suggesting affiliate focus on companies that might have poor DR practices yet can pay €€€ to resume CNC production.
    – Driven by an as-a-service model on Russian-language boards; affiliates keep 75 % of ransom, core dev team 25 %.
    – Early versions contained an unfinished data-exfiltration module (hard-coded SFTP) but it was never activated; latest builds (v.2.1) removed the code entirely—concluding Evopro is, for now, purely wiper-ransom without leak extortion.

Bottom line: Evopro is entirely preventable through basic hardening (patch Exchange/kill SMBv1/secure RDP) and user-awareness (no cracked software). Free decryption is rarely available, so maintain offline backups; should you need removal assistance, follow the systematic steps above and always triage artefacts before re-imaging. Stay safe, stay patched, and keep a solid 3-2-1 backup cadence to nullify this threat.