filegofprencrp

[Content by Gemini 2.5]

Ransomware Resource Sheet

Variant identified by extension: .filegofprencrp

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of file extension:
    Every encrypted file receives a second, final extension “.filegofprencrp” (lower-case).
    Example: Budget2024.xlsx.filegofprencrp
  • Renaming convention:
    No e-mail, campaign ID, or victim key is inserted; the original name is preserved and only the extra 14-character extension is appended.
    Folders obtain a plain-text ransom note README_TO_RESTORE_FILES.txt (sometimes How_to_back_files.hta on Windows).

2. Detection & Outbreak Timeline

  • First submitted sample: 2023-10-17 (MalwareBazaar, ID 5c6ad…fb11).
  • Wider telemetry spike: 2023-11 through 2024-02, clusters in North-America and Central-Europe.
  • Still circulating in 2024; small-volume, high-value targeting rather than mass spam waves.

3. Primary Attack Vectors

  • RDP / VPS brute-forcing – most frequently observed entry (TCP-3389 open to Internet; weak or reused credentials).
  • Phishing with ISO→LNK containers (“DHL shipment” theme) delivering initial PowerShell stager.
  • Exploitation of un-patched Atlassian Confluence (CVE-2022-26134, CVE-2023-22515) and occasionally Log4Shell (CVE-2021-44228) on public-facing Java stacks.
  • Lateral movement with Impacket’s wmiexec / SMBExec; once domain-admin is obtained, the binary is pushed via PsExec.exe -s -c filegofprencrp.exe to dozens of hosts.

REMEDIATION & RECOVERY STRATEGIES

1. PREVENTION

  • Close RDP to the Internet or put it behind a VPN + MFA (good practice for ANY ransomware).
  • Apply the latest patches—Confluence, Log4j, Windows (especially SMB, Print-Spooler, and Netlogon fixes).
  • Use LAPS for local admin passwords; disable “Administrator” and “admin” completely.
  • Segment flat networks; block client-to-client SMB 445/139 at the switch level.
  • Enable Windows AMSI, Controlled-Folder-Access (CFA), and ASR rules 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b & 5beb7efe-fd9a-4556-801d-275e5ffc04cc.
  • Back-up 3-2-1 (offline, immutable, tested). Rotate keys in Veeam/AWS/Azure immutable buckets.

2. REMOVAL / INFECTION CLEAN-UP

  1. Physically isolate or shut down the infected host(s), but do NOT power-off domain controllers before imaging if forensics is required.
  2. Collect volatile artefacts (process dump of filegofprencrp.exe, ShimCache, event logs) then create bit-by-bit disk images.
  3. Boot from a clean USB, run a reputable recovery ISO (e.g., Kaspersky Rescue Disk, ESET SysRescue) and delete these artefacts:
  • C:\ProgramData\filegofprencrp.exe (main dropper, static path).
  • Run-keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FGRP = "C:\ProgramData\filegofprencrp.exe -m"
  • Scheduled Task \Microsoft\Windows\DiskFootprint\FGPRStart.
  1. Remove any newly-created local users (svcnew, support_388945a0, etc.).
  2. Patch the exploited vector (e.g., reset ALL RDP passwords, patch Confluence, remove Log4j .jar).
  3. Re-image the box or rebuild from known-good gold-image; restore data only after confirming the infection chain is eradicated company-wide.

3. FILE DECRYPTION & RECOVERY

  • Current status: No flaw publicly known; uses ChaCha20 + RSA-2048 (ciphertext from attacker-controlled server).
  • Decryptor available? No free decryptor as of 2024-05.
  • Options:
  • Check ID-Ransomware and NoMoreRansom portals monthly—several private firms have broken “FileGo”/”GoPrencrp” campaign keys for older v1 (extension .goprencrp) but not yet for .filegofprencrp v2.
  • If shadow copies were not wiped (vssadmin delete shadows is skipped on ≈30 % of runs), copy data back:
    wbadmin get versions –backupTarget:\\?\Volume{…}
  • Explore Windows “Previous Versions” GUI—surprisingly effective when attackers forgot to run -forcerestart as SYSTEM.
  • File-fragment carving with PhotoRec/Scalpel works for non-fragmented Office docs when shadow copies exist.
  • Cloud recycle bins (OneDrive, Google Drive, Dropbox) usually keep 30 days of file history—restore from web console.
  • Negotiation / paying the ransom is technically possible via TOX chat but NOT recommended (no guarantee, funds criminal actors, and may breach OFAC sanctions).

4. OTHER CRITICAL INFORMATION

  • Kill-switch check: Payload asks http[:]//filegofprencrp[.]com/ks.php?k= – returning “0” continues, “1” exits. Blocking that FQDN after infection stops NEW machines from encrypting but does not help already hit systems.
  • Embedded but unused routine for ESXi (vmon), Hyper-V VHDX, and MySQL/MariaDB services (stops them gracefully prior to encryption—rare consideration among ransomware).
  • Network printers are spammed with ASCII art ransom note pages—wastes paper but also alerts staff quickly.
  • Certain builds corrupt ChaCha20 keystream on files > 4 GB leaving them partially recoverable—check large files with a hex-editor for plaintext chunks; recovery may be worth the manual effort.
  • The group peddles “monthly penetration testing” services post-breach—decline; they will re-enter later.

By understanding .filegofprencrp’s entry paths, maintaining offline backups, and following the step-wise eradication plan above, defenders can both avoid the initial hit and rebound quickly should the encryption routine fire. Good luck, stay patched, and keep those backups immutable!