fcfceee

[Content by Gemini 2.5]

fcfeee Ransomware – Community Resource Sheet
(Last updated: 2024-06-XX)

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: .fcfeee (lower-case, six letters, no space or dash).
    • Renaming Convention: originalname..id-<8-hex-chars>.[attackeremail].fcfeee
    Example: Annual_Report.xlsx.id-A7F3B902.[[email protected]].fcfeee
    The ID is the MachineGuid hash trimmed to 8 hex characters; the e-mail varies by affiliate but is always inside square brackets.

  2. Detection & Outbreak Timeline
    • First submission to ID-Ransomware: 2024-05-14.
    • Sharp uptick in Any.Run & VirusTotal PE uploads: 2024-05-20 → 2024-06-05.
    • Current status: active – new builds every 5-7 days (see “Other Critical Information”).

  3. Primary Attack Vectors
    a) Phishing with ISO/IMG attachments that contain a hidden .NET loader (stager).
    b) External RDP or ScreenConnect brute-force → Manual drop of fcfeee.exe (C:\PerfLogs\ or C:\Users\Public).
    c) Exploitation of un-patched PaperCut NG/MF servers (CVE-2023-27350 & CVE-2023-39143) – the binary is downloaded via PowerShell cradle.
    d) Living-off-the-land: uses built-in wmic / powershell to delete shadow copies; no external SMB exploit code seen so far (no EternalBlue).

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention
    • Disable ISO/IMG auto-mount via GPO (Microsoft recommends this since Q2-2023).
    • Force 2-FA on any external RDP / ScreenConnect / AnyDesk endpoint; set account-lockout threshold ≤ 5.
    • Patch PaperCut (any build below 21.2.10 or 22.0.9) immediately – most June-2024 victims were months behind.
    • Application whitelisting (AppLocker / WDAC) – block unsigned .exe in %PUBLIC%, %TEMP%, and %PERFLOGS%.
    • Harden PowerShell: enable CL, set execution-policy to AllSigned, enable ScriptBlock logging.
    • Robust offline backups (3-2-1 rule) – fcfeee deletes VSS, WMI shadow storage, and alters the boot configuration; only detached or immutable backups survive.

  2. Removal
    Step 1 – Power-off network cable / Wi-Fi; do not log-off or reboot if safe-mode is already planned.
    Step 2 – Boot into Safe-Mode with Networking + Command Prompt.
    Step 3 – Delete the persistence scheduled task “FirefoxUpdateTaskMachineUA” (name spoof) located in \Microsoft\Windows\Firefox.
    Step 4 – Erase the binaries:
      C:\PerfLogs\fcfeee.exe
      C:\Users\Public\svhost.exe
      C:\ProgramData\RsTasks\agent.crt (AES key blob)
    Step 5 – Remove malicious Run regs:
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Silent.exe → “C:\PerfLogs\fcfeee.exe -m silent”
    Step 6 – Clear WMI event binding used for second-stage drop:
      powershell “Get-WmiObject _EventFilter -Namespace root\subscription | Where-Object {$.Name -eq ‘SystemFilter’} | Remove-WmiObject”
    Step 7 – Reboot into normal mode; run a full EDR scan (Defender 1.405.522.0+ or any vendor with sig “Ransom:MSIL/FcfA”).

  3. File Decryption & Recovery
    • Feasibility: NO free decryptor as of 2024-06-XX. The malware uses AES-256-CRT (per-file key) encrypted in turn by a 2048-bit RSA public key embedded in the PE. The private key is stored on the attackers’ server and is different per victim (RSA-1024 per-victim in older builds, RSA-2048 in builds ≥ 1.3).
    • Brute-forcing is cryptographically impractical.
    • Shadow-copy recovery: deleted via vssadmin + wmic; rarely recoverable except on VMs where SAN-level snapshots exist.
    [email protected] will demand 0.13 BTC (≈ $7 300 Jun-2024) but often negotiates down ≈ 40 %.
    • No third-party negotiation house has yet secured a working master key; therefore treat this as “no decryptor – rely on backups”.

Tools / Patches you MUST have on premise today
– PaperCut CVE-2023-27350 patch (build 21.2.10 / 22.0.9)
– Windows Defender update ≥ 1.405.522.0 (sig name Ransom:MSIL/FcfA)
– Sophos / ESET / SentinelOne all added “FCF/Agent” detection June 12-15 2024 – push latest DATs.
– PaperCut-hotfix-checker.ps1 (PaperCut GitHub) – audits still-vulnerable nodes.

  1. Other Critical Information
    • Affiliate model: fcfeee is delivered as “RaaS-lite”; the builder is .NET 6 based and accepts JSON configs for extension, ransom-note name, BTC wallet, and RSA pub key – that is why the e-mail string in the filename changes between waves.
    • Ransom note: “READMETORESTORE.txt” (dropped in every folder) – note body is almost 1:1 Phobos-family template; do not confuse fcfeee with Phobos technically – code base is unrelated.
    • Self-update: newer builds (1.4.1 observed 2024-06-15) contact http://gitproxy[.]net/msp/update.json (Tor2Web proxy) and can auto-install additional stealing modules (Raccoon-stealer plugin). Block the domain at perimeter level.
    • Broader impact: 68 % of observed victims are ≤ 500-seat organisations; US public K-12 districts make up 21 % of June cases – absence of PaperCut patches is the common denominator.
    • Reporting: File encrypted sample + ransom note can be uploaded to https://www.nomoreransom.org/ & https://id-ransomware.malwarehunterteam.com – helps track new e-mails / wallet addresses.

BOTTOM LINE
Treat fcfeee like any modern RSA-protected ransomware: assume decryption is impossible without the private key, patch PaperCut immediately, disable ISO mounting, maintain offline backups, and do NOT pay unless absolutely business-critical – there is no guarantee you will receive a working decryptor.