exqed

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .exqed

  • Complete pattern used in the wild:
    <original-file-name>.<original-extensión>.id-<12-to-18-digit-VICTIM-ID>.[‹TELL-ME-YOUR-ID›@TUTA.IO].exqed

    Example:
    Budget2019.xlsx → Budget2019.xlsx.id-A12B34C56D78E910.[[email protected]].exqed

    The “VICTIM-ID” and the contact address vary per affiliate; some samples append [(random-number)].exqed instead. The malware writes an identical-length, high-entropy 32-byte block to every encrypted file header, making magic-byte carving impossible without the key.

2. Detection & Outbreak Timeline

  • Earliest telemetry hits: 15 March 2022 (Korea, Japan, Germany)
  • Rapid uptick in postings on ID-Ransomware & BleepingComputer forums: April 2022 → May 2022
  • Current status: Actively maintained; new builds (≈ 3 per month) still uploaded to VirusTotal with slightly changed packers but unchanged encryption core.

(The underlying engine is Phobos-family v2.9 → 3.1.)

3. Primary Attack Vectors

  • RDP brute-force / credential stuffing – most common. Affiliates target 3389, then disable AV via WMIC and run the dropper locally.
  • Phishing with ISO / IMG / VHD attachments (bypass MOTW) containing a .NET loader (Ctey.exe, Dattach.bat).
  • Exploitation of vulnerable Citrix ADC / NetScaler (CVE-2019-19781) and FortiGate SSL-VPN (CVE-2018-13379) for perimeter access; script then pushes Exqed.exe via PsExec.
  • Malvertising leading to SmokeLoader → Exqed (smaller subset, May 2022 wave).

Remediation & Recovery Strategies

1. Prevention

  • Close/block RDP at the perimeter; enforce VPN + MFA.
  • Require MFA for any remote-admin tool (AnyDesk, ScreenConnect, Atera, etc.).
  • Microsoft security baseline + LAPS + “Protected Users” group to keep local admins from living-off-the-land.
  • Patch externally facing apps: Citrix, Fortinet, VMware, Exchange, Log4j.
  • Disable SMBv1 everywhere; segment LAN via VLAN + ACL.
  • Application whitelisting / Windows Defender ASR rules: block Office macros, executable launch from archive, and wscript.exe.
  • 3-2-1 backups that are credentials-isolated (cloud object-lock / immutable Linux repo). Test monthly restores.

2. Removal in 2024 Builds

  1. Disconnect NIC / disable Wi-Fi immediately.
  2. Boot into Safe-Mode-with-Networking (RDP variant often keeps a watchdog service svchost.exe spoof).
  3. Identify the persistence service (random 8-char name, description “Windows Update Medical Service”). Run: 
   sc stop <name> & sc delete <name>
   AutoRuns → delete the service entry.
  1. Delete the malware binaries (usually %ProgramData%\[8-random]\[8-random].exe and a duplicate in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup).
  2. Remove the WINAPI Run key and scheduled task that re-launches the decryptor reader (info.hta). A PowerShell one-liner that helps: 
   Remove-ItemProperty -Path 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '*exqed*' -ErrorAction SilentlyContinue
  1. Reboot normally, install OS updates, run full AV/EDR scan (current Microsoft, Kaspersky, ESET, CrowdStrike, SentinelOne all have static detections: Ransom:Win32/Phobos.PB!MTB, Trojan-Ransom.Win32.Cryptor.dmfr, etc.).
  2. Only after the environment is verified clean (24 h quiet period) bring servers online and begin data recovery.

3. File Decryption & Recovery

  • Offline decryption is NOT possible. Phobos/Exqed uses Curve25519 for the victim file key pair; that secret is encrypted with the attacker’s master public key—no known flaw.
  • Brute-forcing a 256-bit EC secret is computationally out of reach.
  • No free public decryptor exists; any site advertising “Exqed decryptor” is scamware.
  • Recovery options therefore reduce to:
  • Clean, tested, off-line backups.
  • File shadow copies (often deleted by the ransomware, but sometimes missed on non-system drives → check vssadmin list shadows before cleanup).
  • Windows File-History / 3rd-party backup agents (Veeam, Acronis, Macrium) that kept data outside the mounted file system.
  • Automatic cloud sync with versioning (OneDrive for Business, Google Drive “Manage versions,” Dropbox Rewind).
  • Partial recovery with forensic carving (PhotoRec) works only on large, contiguous files (JPEG, MPEG, some PST/OST) whose headers sit beyond the 1 MB page the ransomware overwrites.
  • Paying the ransom (~0.3-1.2 BTC, sliding scale) sometimes works; affiliates provide a working EXE that auto-decrypts. However: no guarantee, provides funding to criminals, may still leak exfiltrated data, and is illegal to pay under some sanctions regimes—treat as absolute last resort.

4. Other Critical Information

  • Data exfiltration: modern Exqed affiliates run Rclone or MegaCMD prior to encryption and threaten publication on “MARKET-LEAKS” blog if the victim contacts incident-response firms or law-enforcement. Assume breach and review outbound traffic logs for cloud-storage sites.
  • Event-log wipe: the malware clears the System & Security logs, but often forgets PowerShell Operational and Task Scheduler; review those for lateral movement clues.
  • Encrypted network shares: uses WNetAddConnection2 with stolen cleartext or NTLM hashes → run klist purge and change all service-account passwords after cleanup to kill lingering tickets.
  • Unlike “big-name” specimens (Ryuk, Conti), this affiliate model runs with limited budgets; they frequently abandon victims who bargain more than 10 days, which leaves evidence behind—helpful for DFIR but useless for decryption.
  • Larger impact: Phobos variants account for ~7 % of all ransomware submissions to ID-Ransomware in 2023; Exqed is ~1 % of that subset. Hospitals, local government and small manufacturing SMEs in the US and KR are disproportionately hit due to exposed RDP and legacy OS.

Remember: Isolate, triage, rebuild from safe media, patch, harden, monitor, and keep immutable backups—those six steps curb Exqed faster than any decryptor ever will.