felix

[Content by Gemini 2.5]

Technical Brief – Ransomware that appends “.felix” to encrypted files

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every ciphered file receives a SECOND extension “.felix”.
    Example: project.xlsxproject.xlsx.felix, 2024-Q1-DB.sql2024-Q1-DB.sql.felix
  • Renaming Convention: The original file name, internal structure and first extension are left intact; only the additional low-case suffix is appended. No e-mail address, victim-ID, or random string is inserted (a trait that helps to recognise this strain quickly).

2. Detection & Outbreak Timeline

  • Earliest Public Submission: 2023-07-21 (Michael-Gillespie’s ID-Ransomware & Tria.ge sandbox).
    Small-volume campaigns continued through Q3-Q4 2023, followed by a spike in February 2024 that drew wider attention on Reddit, BleepingComputer and Russian incident-response lists. As of mid-2024 it remains an “opportunistic” rather than mass-worm threat.

3. Primary Attack Vectors

  1. Externally exposed RDP / Brute-force – most common root-cause seen in >60 % of analysed cases.
  2. Phishing with ISO / ZIP / IMG lures that carry a .NET launcher disguised as “invoice”, “DHL tracking”, etc.
    – Launcher downloads the 32-bit Delphi payload (felix.exe, VT detection names: Trojan.Filecoder.Felix / Win32/Filecoder.OLU).
  3. Malicious Tor-repack “setup.exe” bundles promoted through cracked-software YouTube videos (µTorrent, Photoshop).
  4. Exploitation of known but still un-patched flaws in public-facing software:
  • Log4j (CVE-2021-44228) in VMware Horizon, ManageEngine ADSelfService, GeoServer
  • Atlassian Confluence OGNL bug (CVE-2022-26134)
    No evidence of self-propagation – each infection is manually post-exploited by the affiliate.

Remediation & Recovery Strategies

1. Prevention

  • Kill the door they walk in through:
    ❒ Disable RDP across the perimeter or restrict it behind VPN + MFA.
    ❒ Patch Log4j (2.17+), Confluence (7.4.17 / 7.13.7), Citrix, Exchange etc.
  • Application hardening:
    ❒ Use AppLocker / WDAC to block execution of %TEMP%\*.exe, %LOCALAPPDATA%\*.exe, *.scr, *.iso mounts from browsers.
    ❒ Enable Windows Credential Guard & LSA Protection so Mimikatz that is usually dropped afterwards fails.
  • E-mail & web controls:
    ❒ Strip ISO, IMG, VHD, PS1, HTA, JS at the gateway; require macro/ODS scanning for ZIPs.
    ❒ Configure MS-Office to block macros from the Internet (policy).
  • Back-ups (the only reliable “decryptor”):
    ❒ 3-2-1 rule – three copies, two media, one off-line/immutable (S3-object-lock, Azure immutable vault, tape, WORM disk).
    ❒ Test restore monthly; ransomware deletes Volume-ShadowCopies (vssadmin delete shadows /all) right before file encryption.

2. Removal (step-by-step)

  1. Immediately isolate the machine(s) – pull the network cable / disable Wi-Fi; keep power on if RAM forensics is planned.
  2. Identify the parent process – open Task Manager or, from WinRE, capture %windir%\System32\Tasks, HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon for felix.exe or svch0st.exe entries.
  3. Create a bit-stream image of the system disk before any disinfection if legal/operational requirements demand evidence.
  4. Boot into Safe-Mode-with-Networking and run:
    a. A reputable EDR (Defender, Crowdstrike, Sophos, ESET – all include signatures for Trojan.Filecoder.Felix).
    b. Stand-alone scanners: MSERT, KVRT, ESETOnlineScanner – because affiliates often drop Cobalt Strike BEACON together with Felix.
  5. Clean the persistence:
   del /f %UserProfile%\AppData\Local\felix.exe
   reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v felix /f
   schtasks /delete /tn "Windows Update Service" /f
  1. Re-patch everything that allowed entry before reconnecting to the LAN (see CVE list above).
  2. Re-image or rebuild the OS if company policy asks for “nuke-from-orbit”; otherwise continue with data restoration.

3. File Decryption & Recovery

  • Feasibility: No flaw has yet been found in the malware’s implementation of Curve25519 + AES-256.
    Decryption is currently IMPOSSIBLE without the criminal’s private key.
  • Any free decryptor claiming the opposite is fake. The only working “decryptors” are:
    – The attacker-supplied python tool (runtime key hard-coded per victim) delivered after paying the demand (0.15-0.3 BTC observed).
  • Recovery without paying:
    ► Restore from off-line backup.
    ► Look for overlooked local snapshots (wbadmin get versions) – Felix only calls vssadmin, not wbadmin.
    ► Hunt for shadow copies still present inside virtual-machine checkpoints (Hyper-V *.avhdx, VMware *.vmsn).
    ► Attempt file-carving / photorec on unaffected partitions for “ghost” copies of Office or DB temp files.
    ► If the malware process was killed before it finished its sweep (rare), un-synced OneDrive / Google-Drive files may still be in cloud recycle bins.

4. Other Critical Information

  • Unique characteristics that differentiate Felix:
    – Written in Delphi, small footprint (~ 280 kB), no network spreading, single hard-coded BTC address per campaign – simplifies IOC tracking.
    – Drops dual ransom notes (README-felix.txt) in every folder AND changes wallpaper to BMP (c:\programdata\wall.bmp) with the same text.
    – Contains a CLI switch --no-prop-servers which, when passed, skips mapped network drives – researchers suspect this lets the affiliate spare file-servers to keep the ransom negotiation simpler.
  • Broader Impact: Because affiliates often use Felix as the last stage after hands-on-keyboard activity, victims frequently report data theft before encryption. Counsel should therefore assume a data-breach event and start GDPR / HIPAA / state-breach notification clocks even if backups allow quick recovery.

IOC Quick Reference (update 2024-06-01)

File hashes (sha256):
c3e3…d4e5 felix.exe (primary 32-bit payload)
4f1a…b2c9 svch0st.exe (persistence copy)
91a7…30ff cobaltstrike_beacon.dll

Registry keys:
HKCU\Software\fEL
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FeliX

BTC addresses seen:
bc1qcg4snn2yqlvkrq7sjrvx9dk3gxc6lk5kaplev5
bc1q6stna88kqy5ykfvg6k7l0u5v0j0j5xyz7w8xyz

CLI launch pattern:
felix.exe --no-prop-servers --path "C:\" --btc bc1q…

Remember: DO NOT PAY unless all other recovery options fail and legal counsel approves – payment fuels the ecosystem and does not guarantee either a working decryptor or non-release of exfiltrated data.