fastrecovery.xmpp.jp

[Content by Gemini 2.5]

Comprehensive Ransomware Resource for the .fastrecovery.xmpp.jp / “J-Sec Ransomware”

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension affixed: .fastrecovery.xmpp.jp
    Example: Q4-Budget.xlsx → Q4-Budget.xlsx.fastrecovery.xmpp.jp
  • No file-name scrambling – the malware preserves the original base name and simply appends the full domain string.
  • Dropped marker file: ReadMe.txt (sometimes Read_Me.txt or Restore-My-Files.txt) in every folder containing encrypted data.

2. Detection & Outbreak Timeline

  • First public submissions: 2024-03-04 (Japan-centric forums)
  • Wider telemetry spikes: 2024-04-12 → 2024-05-01 (JPCERT/CC & NICT sensors)
  • Most current variants observed: through Q2-2024

3. Primary Attack Vectors

  1. Weaponised RDP
    – Password-spray + reusable credentials stolen by infostealers (Raccoon, Vidar).
    – Port 3389 exposed to Internet, then manual “hands-on-keyboard” deployment.
  2. Malicious MSIX / MSI Bundles
    – Fake “Windows 11 24H2 Update” e-mails with MSIX attachments; launches install-job.exe > fastrecovery.exe.
  3. EternalBlue (MS17-010) & BlueKeep (CVE-2019-0708) Resurrection
    – Business unit networks still missing 2017/2019 patches; worm module auto-spreads after initial RDP foothold.
  4. ** drives-by via compromised WordPress**
    – Diverts Japanese users to Rig-EK landing pages → Cobalt-Strike beacon → J-Sec payload.
  5. Network-share brute-force (SMB/IPC$) once inside the LAN.

Remediation & Recovery Strategies

1. Prevention (applies to all Windows estates)

  • Patch:
    – MS17-010, CVE-2019-0708, and current month cumulative.
  • Network segmentation + disable SMBv1 (remove feature completely).
  • Zero-exposure RDP: VPN-only, 2FA, account lock-out, and “restricted-admin” mode.
  • Application allow-listing (WDAC/AppLocker) – explicitly block %TEMP%\*.exe.
  • Remove MSIX/APPX sideloading if unused.
  • EDR/XDR in “block-unknown” mode; enable ASR rule “Block process creation from PSExec & WMI commands”.
  • Immutable, offline backups (3-2-1) with write-once-storage or cloud-object-lock.

2. Removal / Cleaning Process

  1. Power-off every machine displaying the marker file simultaneously to stop lateral movement.
  2. Boot into Safe-Mode-with-Networking or use Windows-PE recovery stick.
  3. Run up-to-date scanner:
    – Microsoft Safety Scanner, ESET cleaner, Kaspersky Virus-Removal-Tool, or Sophos Rescue.
  4. Delete malicious binaries:
    %ProgramData%\fastrecovery.exe
    %TEMP%\srvany64.exe
    – Scheduled Task \Microsoft\Windows\Maintenance\FastRecoveryReminder
  5. Remove registry autoruns: 
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FastRecoveryBackUp
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1  (set back to 0)
  1. Patch and restore Windows Defender / third-party AV service startup.
  2. Check firewall rule set for port 3389 or 3388 clones – remove unauthorised exceptions.
  3. Before bringing servers online again, validate Active Directory integrity; change ALL privileged passwords.
  4. Re-image any machine you cannot verify completely (Cobalt-Strike beacons like to linger).

3. File Decryption & Recovery

  • No flaw found – uses Curve25519 + AES-256-GCM; keys are per-victim, stored only on attacker server.
  • No free decryptor at time of writing (2024-06).
  • List of trustworthy “No-More-Ransom” decryptors does NOT contain a tool for fastrecovery.xmpp.jp.
  • Recovery path therefore relies exclusively on:
  1. Offline/back-up restores (preferred).
  2. Shadow-copy exploitation (very unlikely, the ransomware runs vssadmin delete shadows /all).
  3. Windows File-History / 3rd-party backup appliances that were not mounted during the incident.
  4. Negotiation & payment (not recommended; many reports of incomplete keys even after BTC transfer).

4. Essential Tools, IOCs, & Signatures

  • Security-only patch bundle: 2024-05 cumulative (contains PrintNightmare, RCE fixes used by affiliates).

  • Entropy / file-cab scanners:
    – “J-Sec Dec-ID” (powershell helper that reads file footer entropy; not a decryptor). It tells you sample ID to relay to authorities.
    – CrowdStrike IOA template TA-JSEC-RANSOM-2024.
    – Microsoft Defender AV signature: Ransom:Win32/JSec.A

  • Network IOCs 

  C2: tcp://45.142.120.71:443
  Backup C2: tcp://fastrecovery.xmpp.jp:5222 (direct XMPP/SSL)
  User-Agent: Mozilla/5.0 (J-Sec-Agent-19.3.7)
  • File hashes (main dropper) 
  SHA-256: 9d4b3c7bac0f8e55691c5fe9427384f3972d1ea888f14ab8e17c993172f13c31
  SHA-1:   421f9acd3c09ce8f2f3bd5f0b53ac3ffbb05a5c8
  • Ransom-note text (first 128 bytes) 
  ~~~~~~~~~~~~ J-Sec FastRecovery ~~~~~~~~~~~~  
  ALL YOUR COMPANY FILES HAVE BEEN ENCRYPTED….

(Use this header string for YARA hunting.)

5. Other Critical Information

  • Differential traits
    – Uniquely Japanese e-mail (XMPP.jp) address is embedded inside extension – hinting the operator group markets itself primarily to Japanese victims.
    – Drops a secondary back-up loader (FastBackupService.exe) that sleeps 24h then re-installs if traces are left – always re-image or run a full Sentinel/Velociraptor memory sweep.
    – Sets LEGALNOTICE registry key to show the ransom banner before user logon – useful forensic marker.
    – Attempts to stop Veeam, Acronis, and SQL services by display-name, not just process name – monitor Windows EventID 7045 (new service).

  • Business-impact notes
    – Active in both manufacturing and local government networks; average dwell time observed: 11 days.
    – Affiliates appear to exfiltrate blueprints (CATIA) and customer DBs prior to encryption – treat every incident as data-breach disclosure case as well.
    – Japan’s Personal Information Protection Commission already confirmed the group leaks non-payers on blog jsecblog7ix2tnq3.onion.

Bottom line: there is no shortcut to decrypt data locked by .fastrecovery.xmpp.jp. Invest in offline backups, govt/M-XDR hardening guidelines, and assume breach—then you will never need this criminal’s “fast recovery.” Stay vigilant, patch early, back-up often, and share IOCs with the community.