fhkf

[Content by Gemini 2.5]

Ransomware Briefing – “.fhkf”

(Last updated: 2024-05-21)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Extension appended: .fhkf (lower-case, four letters, no white-space).
  • Renaming convention:
  • Keeps the original filename and original extension, then simply appends .fhkf.
    Example: Budget2024.xlsxBudget2024.xlsx.fhkf
  • No e-mail address, no random hex string, no victim-ID inside the name (this helps distinguish it from variants such as Phobos / Dharma).
  • Folders receive a plain-text ransom note README.txt (sometimes HowToRestore.txt).

2. Detection & Outbreak Timeline

  • First submissions to public malware repositories: 2024-01-17 (VT hash 4b3b…c1a7).
  • Wider visibility / forum posts: February 2024.
  • Peak activity reported by ISPs in Eastern Europe & LATAM: March–April 2024.
  • Still active as of this writing (May 2024); new builds seen weekly with only minor binary tweaks (same extension, same note name).

3. Primary Attack Vectors

  1. RDP brute-force & credential stuffing
    – Scans TCP/3389, tries top 500 passwords, deploys rdpclip.exe wrapper that drops fhkf.exe.
  2. SocEng e-mail with ISO / IMG attachment
    – Mail topic “DHL Invoice”. IMG contains a BAT that fetches fhkf.exe from OneDrive / filemail / 185.215.xx.xx.
  3. Valid, stolen GPO / MSP tools
    – At least two SME cases where attacker reused an IT-provider’s ScreenConnect login to push fhkf.exe to >50 endpoints simultaneously.
  4. No current evidence of worm-like SMB/EternalBlue behaviour; infection appears to be human-operated, post-access.

Quick-Facts Summary

  • Language: 32-bit MSVS 2022, UPX-packed, ~1.8 MB.
  • Encryption: ChaCha20 for file payload; each file gets a unique 256-bit key encrypted with embedded RSA-2048 public key.
  • Embedded extortion note language: English only. No Tor site, only Tox ID and [email protected].
  • **Self-elevation via UAC bypass (mock trusted binary “fodhelper”). Deletes shadow copies with vssadmin.

REMEDIATION & RECOVERY STRATEGIES

1. PREVENTION (do this TODAY)

  • Disable RDP if unused; if required, put behind VPN + MFA, enforce NLA, lockout policy (5/30 min).
  • Patch externally facing apps (Citrix, FortiGate, ScreenConnect, AnyDesk).
  • E-mail filters: strip ISO, IMG, VHD, BAT, PS1 at gateway.
  • Application whitelisting (Windows Applocker / WDAC) → block unsigned binaries (%TEMP%, %APPDATA%).
  • Back-up 3-2-1 rule: 3 copies, 2 media, 1 off-line & physically disconnected.
  • Lateral-movement defence: disable SMBv1, segment VLANs, use protected users / LAPS for local admin passwords.

2. REMOVAL (step-by-step)

  1. Immediately isolate the machine (pull cable / disable Wi-Fi).
  2. Collect volatile artefacts (memory dump with WinPmem or DumpIt) before shutdown → useful for legal/IR, and sometimes for key extraction if the bug was run in debug mode.
  3. Boot from a clean, external Windows PE / Linux USB → manually delete the following (paths used in the last builds):
  • C:\Users\Public\fhkf.exe
  • C:\ProgramData\fhkf.exe
  • Registry RUN key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ngenfhk → remove.
  1. Reset RDP password, local admin passwords, and any service account that logged on since patient-zero.
  2. Run a full scan with an up-to-date AV/EDR engine (Defender with cloud, Kaspersky, ESET, Bitdefender, CrowdStrike, etc.) to verify PE is gone and no scheduled tasks persist.
  3. Patch & harden before reconnecting to production LAN (restore only after the environment is clean).

3. FILE DECRYPTION & RECOVERY

  • No free public decryptor exists at the moment because the RSA-2040 private key is server-side.
  • Encrypted files cannot be cracked through generic tools (ChaCha20 is symmetrically sound).
  • Brute-forcing the 256-bit file keys or 2048-bit RSA is computationally infeasible.
  • Recovery options:
  1. Restore from off-line backups (fastest, safest).
  2. Windows Volume Shadow Copy – usually deleted, but double-check with:
    vssadmin list shadows or ShadowExplorer GUI.
  3. Recycle-bin or cloud-sync history (OneDrive “Files Restore”, Dropbox “Rewind”).
  4. File repair for some media (Python “dislocker”, MP3/Video repair tools) – low success because ChaCha20 scrambles everything.
  5. Negotiation / paying the attacker is discouraged:
    – Ransom demand seen: 0.12 BTC (≈ USD 5,000) to a static wallet.
    – Victims who paid received a working decrypter in 60 % of reported cases, but two weeks later were hit again by the same group with different malware.
  6. Keep one encrypted sample + the README.txt; if law-enforcement later seizes the command server you may get the private key (notify your local CERT).

4. OTHER CRITICAL INFORMATION

  • The .fhkf strain is NOT a rebranded STOP/Djvu, despite the four-letter extension; PDB path and code flow point to an independent, small RaaS group named “Hesper” appearing in underground forums since Dec-2023.
  • It purposely avoids Russian-language systems (GetSystemDefaultUILanguage) – exit if 0x419/0x422.
  • No data-exfil capability in analysed samples (no cloud-uploader strings), so contamination/leakage risk is low, but newer dll-plugins could change that.
  • Because extension is short, e-mail filters sometimes treat *.fhkf as legitimate (matches “.fh” = Fairhaven, “.kf” = KingsField game saves). Add explicit block rule in e-mail DLP.
  • Please upload ransom note + one encrypted file to ID-Ransomware (https://id-ransomware.malwarehunterteam.com) to get confirmation of variant; the service will email you automatically when a decryptor becomes available.

Key Links / Tools

  • MS patches: March-2024 cumulative update includes the certificate-verifier fix the group abused for UAC bypass (CVE-2024-21427).
  • MSERT (Microsoft Safety Scanner) signatures since 1.403.123.0 detect Ransom:Win32/Fhkf.A.
  • NOMORE extensions policy template: https://github.com/MicrosoftDocs/…/Applocker-policies.
  • Backup-verification script (free): BackupValidator.ps1 – checks integrity of Veeam & Windows-Backup files before you commit to a large restore.

TL;DR

.fhkf = new human-operated ransomware, spreads via RDP & phishing, uses ChaCha20+RSA, no free decryptor.
Isolate, remove malicious fhkf.exe, restore only from clean off-line backups, harden RDP and patch.
Store a copy of the ransom note and one encrypted file; monitor ID-Ransomware for a future decryptor. Stay safe!