ferosas

[Content by Gemini 2.5]

RANSOMWARE DOSSIER

Variant tracked in the wild by the file-extension “.ferosas”

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Exact extension: .ferosas (lower-case, appended as a second extension – e.g. Report.xlsx.ferosas)
  • Renaming convention:
    – Original file name and inner extension are preserved, .ferosas is simply appended.
    – No e-mail address or random numeric ID is embedded in the new name (this differentiates it from variants such as .berosuce, .grovat, .dutan, etc.).
    – Folders themselves are NOT renamed, only files.

2. Detection & Outbreak Timeline

  • First submissions to ID-Ransomware & VirusTotal: 24–25 March 2019.
  • Peak distribution observed: April–May 2019 (large e-mail spam waves).
  • Still circulating: Copy-cat campaigns have been spotted through 2023, almost always using the same decryption key set (see “Decryption” section).

3. Primary Attack Vectors

Ferosas belongs to the STOP/Djvu family; therefore it inherited the distribution channels used by that cluster:

  • Malspam (≈70 % of infections):
    – ISO, ZIP or 7-Zip attachments that contain a disguised executable (invoice_342.exe, setupxyz.exe).
    – Messages fake “FedEx/UPS tracking”, “PayPal invoice”, “Kaspersky security update”, etc.
  • Software cracks & keygens (≈25 %):
    – YouTube comments, gaming forum posts, BitTorrent uploads promising “Minecraft unlocker”, “Photoshop crack”, “Windows 10 activator”.
    – Once launched, the crack drops the same .ferosas payload.
  • Exploit kits / trojanised updates (<5 %):
    – EITest→RigEK→Raccoon stealer→STOP chain seen in late 2019.
    – No automated SMB/EternalBlue component (different from WannaCry or Ryuk).

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Patch OS & 3rd-party apps (especially MS Office, Java, Adobe).
  • Disable Office macros company-wide; block .iso, .img, .vbs, .js, .wsf at the mail gateway.
  • Remove local-admin rights from day-to-day users; enable Windows Credential Guard to foil later-stage password-grabbers that often accompany STOP.
  • Segment LAN + disable RDP if unused; if needed, put RDP behind VPN + 2FA.
  • Maintain at least two backups (one off-line, one off-site) and perform periodic restore drills.
  • Application whitelisting or, at minimum, Microsoft Defender ASR rules: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion.”

2. Removal (step-by-step)

  1. Physically disconnect the machine from network (Wi-Fi & Ethernet).
  2. Boot into Safe Mode with Networking (for driver cleanup) or use a bootable AV rescue disk.
  3. Delete the持久化条目:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run → value “SysHelper” or “Launcher” pointing to %LocalAppData%\{GUID}\randomname.exe.
    – Scheduled Task “Time Trigger Task” created under \Microsoft\Windows\ – remove it.
  4. Delete the dropped binaries:
    %Temp%\0.exe, %Temp%\1.exe, and the folder %LocalAppData%\{GUID}\ (hidden, system attributes).
  5. Update and run a reputable AV engine (Defender, ESET, Kaspersky, Sophos) – all flag the family as “Ransom:Win32/STOP”.
  6. BEFORE rebooting normally, create a forensic image or at least copy the ransomware executable (%LocalAppData%{GUID}*.exe) to a USB – you may need it to determine which key variant you have for decryption.
  7. Reboot → verify that no new files are being encrypted (create a few canary documents).

3. File Decryption & Recovery

  • STOP/Djvu releases two main builds:
    a) “Old” variants (keys hard-coded, offline key): Encryption uses one single key for all machines when the C2 is unreachable. This applies to ≈80 % of .ferosas infections up to mid-2019.
    b) “New” variants (post-Aug 2019, online key): Each victim gets a unique RSA key that is not recoverable without the private half stored on the criminals’ server.

  • Feasibility:
    – If your files were hit during the March–July 2019 window, try the free Emsisoft STOP-Decrypter (https://emsisoft.com/decrypt). Enter the personal ID shown in C:\SystemID\PersonalID.txt. IDs ending in “t1” are usually decryptable (offline key).
    – Look inside C:\ProgramData\ for file _readme.txt or readme.txt; an offline key produces an ID that is exactly 38 alphanumeric characters without a dot suffix.
    – The offline key for .ferosas was extracted by researchers in May 2019; its byte sequence is 012T6pypTKbpDciebZQPXzVKhD1W866nUeuCkr. The decryptor already contains it—no manual entry needed.

  • If the ID ends in “.USA”, “.BOZA”, “.REHA” or any other random extension: you have an online key → no free decryptor at present. Options are:
    – Restore from backup.
    – Volume-Shadow-Copy (vssadmin list shadows) – STOP deletes shadows only half of the time; worth checking.
    – File-recovery tools (Photorec, Recuva, Windows File Recovery) – works only if the ransomware did not fill the disk with dummy data.
    – Paying the ransom ($490–$980) is technically possible but discouraged: no guarantee, supports criminal ecosystem, and in some jurisdictions it is illegal to send money to sanctioned actors.

4. Other Critical Information

  • Ransom note: _readme.txt – identical text for all STOP variants:
    “ATTENTION! Don’t worry, you can return all your files…” e-mails: [email protected], [email protected], [email protected].
  • Encryption specifics:
    – Salsa20 keystream + 1024-bit RSA public key; symmetric key is encrypted and stored in file footer + 16-byte marker 0x4455435445525550.
  • Command-&-Control:
    – Hard-coded domains on TLD .top, .biz, .site; if unreachable, the malware falls back to an offline key (hence why so many victims are actually decryptable).
  • Bundled malware: Many .ferosas installers also drop the AZORult info-stealer; assume passwords, cookies, and browser histories are compromised – force resets.
  • Wider impact:
    – STOP (including .ferosas) became the most submitted ransomware family to ID-Ransomware in 2019/20 simply because of the sheer volume of spam-fed Home/SMB infections rather than high-profile enterprise breaches.
    – Because decryption is partially possible, the family is frequently cited as a “learning-case” for defenders demonstrating the importance of key-management errors by adversaries.

CHECKLIST (printable)

☐ Patch & harden before anything else
☐ Offline backup verified this week
☐ Mail gateway blocks ISO/JS/VBS
☐ Application whitelisting or at least Defender ASR enabled
☐ If hit: collect the EXE + personal ID, try Emsisoft decryptor, rebuild OS, reset all credentials, notify users of potential AZORult exposure

Stay vigilant— .ferosas is mostly decryptable, but its big brothers in the STOP lineage may not be.