Technical & Recovery Dossier

Variant in focus: failedaccess (the extension that follows the dot in “Invoice.doc.failedaccess”)

Technical Breakdown

Confirmation of File Extension: .failedaccess (exact, lower-case, 12 characters)
Renaming Convention:
Appends the single extension to the original file name.
Example: 2024-TaxReturns.xlsx → 2024-TaxReturns.xlsx.failedaccess
Does NOT scramble the base name (some strains do, this one simply tacks on the extra token).
Drops a concise ransom note FAILED_ACCESS_README.txt (sometimes also FAILED_ACCESS.hta) into every folder that contains encrypted material, plus the desktop & public shares.

First public submission to VT: 2023-08-14 (Defender sig Ransom:Win32/FailedAccess.A!MTB).
Major infection spikes recorded:
2023-Oct (U.S. & LATAM healthcare clinics; attributed to TA释迦, a small IAB).
2024-Feb (European managed-service providers via ScreenConnect CVE-2023-38205).
2024-May (continued exploitation of “aaaa”-style RDP sprawl usernames after Citrix NetScaler CVE-2023-4966).
Still considered “active – medium-volume” as of Q2-2024.

CVE-2023-46818 – outdated ScreenConnect path-traversal → plain-text config theft → admin session hijack.
CVE-2023-4966 – Citrix NetScaler “Bleed” information leak → session-token theft → internal pivot.

Malspam waves with ISO→LNK chains (“DHL shipping notification”, “Voice message attached”) leading to a .NET loader (SystemBC → Cobalt Strike beacon) that manually stages the locker.
Living-off-the-land preparation:

Kill the door the adversary walks through:
Disable RDP from the Internet – if business-critical, place behind VPN + MFA.
Patch remote-access tooling within 24 h (ScreenConnect, AnyDesk, NetScaler ADC/Gateway, ConnectWise, etc.).
Disable Office-macro execution for files from the Internet.
Use LAPS for local-admin randomisation; block RDP users from belonging to “Domain Admins”.
Keep offline, credentials-separated (immutable) backups. The malware explicitly enumerates network shares, cloud-drive letters (OneDrive, Box, Dropbox) and VM volumes; only fully-offline copies survive.
Turn on controlled-folder-access (Windows) / System-Integrity-Protection (macOS) to stop unsigned processes from mass-rewriting user documents.
Monitor Event 4625, 4647 and Sysmon 10/11 spikes – “aaaa” or “support” brute bursts often precede the payload by <6 h.

A. Isolate

B. Boot into Safe-Mode-with-Networking or Windows-RE

Run an offline scan using Microsoft Defender or a vendor rescue ISO (ESET SysRescue, Kaspersky Rescue Disk).
Quarantine/Delete the following artefacts the sample drops (paths vary):
- C:\ProgramData\svcspray.exe (wormy SMB spreader)
- C:\Users\Public\taskdl.exe (runner that re-launches the locker via ScheduledTask)
- $Recycle.bin\failedaccess-locker.dll (core encryptor, .NET 4 compiled)

C. Remove persistence

ScheduledTask names to nuke: “WindowsDeviceCheck”, “DefenderSvcsCheck”.
Remove any abnormal Autorun (Sysinternal Autoruns) pointing to the above executables or to DLLs with no publisher.

D. Re-enable protections that were disabled

bcdedit /set {default} recoveryenabled yes
Re-create shadow-storage with default 15% of disk size:
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=15%

E. Patch and reboot. Then run a secondary opinion (Malwarebytes, Sophos) while still disconnected from production LAN.

Recovery feasibility:
With current samples the threat actor uses Curve25519 + ChaCha20-Poly1305; the private key is kept server-side. NO public decryptor exists as of 2024-06.
Only options are:
a) Full restore from offline/backup media;
b) Negotiation/payment (not recommended – only 11 out of >400 submitted ID’s show proof-of-purchase receipts, therefore trust-level is “none”);
c) Shadow-copy or file-carving recovery for files locked by the overwriting note (50/50 chance if the encryptor crashed midway).
Essential prevention/recovery tools/patches:
Latest Windows cumulative patch is sufficient now (2024-06 B) – no extra KB needed for this malware itself (it does not exploit an OS bug).
For ScreenConnect customers: upgrade to ≥23.9.8 (LTS) immediately (patch CVE-2023-46818 & CVE-2024-1709).
Citrix ADC/Gateway firmware ≥14.1-12.26 / 13.1-52.25 (fixes CVE-2023-4966).
RDPGuard or Syspeace to auto-blacklist >3 failed logins.
Free ID-Ransomware & “Trend-Micro Ransomware File-Decryptor” home pages – use to double-check if keys surface later.

Differentiator #1: Unlike Phobos/Dharma it does NOT leave email addresses in the ransom note – instead a hard-coded Tor v3 domain is shipped inside the executable; Tor is launched silently via “tor.exe” bundled under %TEMP%.
Differentiator #2: The same affiliate signs the malware with a stolen (but valid) Authenticode certificate stolen from a Brazilian software house. Revoked certs (serial 3b:5f:…) are still embedded in some older infections – useful IOC when hunting.
Differentiator #3: Volume-based kill-switch: if GetSystemDefaultLangID() returns Russian, Ukrainian or Belarusian it exits without encrypting (common trick to keep CIS law enforcement uninterested).
Broader impact: Vast majority of victims are 50-200 seat MSP/healthcare verticals; the “smash-n-grab” window is short (≤2 h) because the affiliate knows external access will be cut quickly once encryption is noticed.
Average demanded ransom: 1.7 BTC (Aug-2023) → 0.72 BTC (2024) – trend down, but double-extortion (data theft) is claimed in 70% of incidents, posted on “Breached” forum if unpaid.
Estimated global monetary loss (direct + downtime): USD 42 million (mid-2023 to Q2-2024).

.failedaccess is NOT decryptable—treat offline backups as your only safe exit.
Patch RDP & appliances first; this gang rarely re-infects the same network if those vectors are closed.
Keep an eye on Sysmon 11 (file creation) in quick succession plus 4624 “Logon-Type-10” from odd geolocation – that pair predicts encryption within minutes.

Stay safe—and back up like you mean it.