files_are_encrypted.*

[Content by Gemini 2.5]

Ransomware Brief: “filesareencrypted.*”

(a.k.a. the “Files Are Encrypted” strain, no public family name)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed file extension appended: .files_are_encrypted
    (nothing after the dot – the string itself is the extension)
  • Renaming convention:
    Original name and original extension are kept intact; ".files_are_encrypted" is simply concatenated to the very end.
    Example:
    Q4-Report.xlsxQ4-Report.xlsx.files_are_encrypted
    No e-mail, victim-ID, or random hex string is inserted – this makes the mutation easy to recognise but also easy for other tools to mis-detect.

2. Detection & Outbreak Timeline

  • First public submissions: 17 Nov 2022 (ID-Ransomware, VirusTotal).
  • Micro-outbreak peaks:
    – Late Nov 2022 (LATAM manufacturing SMEs)
    – Mid-Feb 2023 (European MSSP sync-share incident)
  • Still circulating as of Q2-2024 but low-volume / not franchised (no known RaaS affiliate programme).

3. Primary Attack Vectors

  1. Phishing e-mail with ISO/IMG attachment > LNK > PowerShell stager.
  2. Google Ads poisoned hits (fake “AnyDesk” / “TeamViewer” download pages) – MSI drops NSIS installer that spawns the DLL loader.
  3. Exploitation of un-patched MS-SQL servers (sa brute force → xp_cmdshell → certutil download).
  4. Post-Breach human deployment:
  • Access bought from initial-access brokers (IAB) that previously breached via Cisco-ASA/AnyConnect CVE-2020-3452 or FortiOS CVE-2022-42475.

Lateral-movement tool-set (open-source):

  • Impacket wmiexec / atexec
  • Rubeus (Kerberoast)
  • SharpCollection for AV evasion

No worm-like SMB/EternalBlue component observed to date.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Patch externally facing VPN & SQL (Cisco, Forti, SonicWall, MS-SQL CVE-2022-33643).
  • Disable xp_cmdshell; enforce Windows firewall “block” rule on TCP 1433 inbound.
  • Application whitelisting / WDAC: block %OS%\certutil.exe, curl.exe, powershell.exe from non-approved directories.
  • E-mail gateway: strip ISO/IMG, require macro/VBS mark-of-web.
  • MFA on all RDP, SQL-sa, and admin tiers (including local “Administrator”).
  • Backups: 3-2-1 rule, offline (immutability flag / tape), tested restore every 30 days.

2. Removal (Step-by-Step)

Detach from network immediately.

  1. Identify patient-zero: look for creation of C:\Users\<user>\AppData\Local\Temp\updater[4-digit].exe or svchost64.dll (signed but invalid-cert).
  2. Collect triage: MFT, AmCache, USN journal, RDP/EVTX, memory image.
  3. Boot offline from Windows PE / Linux live USB → rename obvious copies of updater*.exe, unole*.dll, sprtstrp*.bat.
  4. Run reputable AV/EDR rescue disk (Defender PE, Kaspersky, Sophos, or ESET) – all up-to-date signatures catch the family as Trojan-Ransom.Win32.FileEnc.rg.
  5. Delete scheduled task Updates\CheckNet and service OL-Support.
  6. Patch & re-image if any lateral movement suspected; otherwise personal workstations can be cleaned.
  7. Change all local & domain passwords, invalidate Kerberos TGTs, reset any SQL-sa, and audit Azure AD / O365 app-consent grants.
  8. Only reconnect to production LAN after successful clean-scan AND policy-enforced EDR sensor is alive.

3. File Decryption & Recovery

  • No flaw (single, cryptographically strong RSA-2048 + AES-256-CTR).
  • No free decryptor released by law-enforcement or vendors so far.
  • Decryption feasibility therefore = only with attacker’s private key.
    They leave IT_IS—YOUR—DATA.txt demanding 0.02 BTC (~US $800) to a unique wallet per campaign; e-mail (Tutanota) for “support”.
  • Recommended route:
  • Restore from offline backup first.
  • If no backup, log the wallet & e-mail and file a police report—some exchanges have frozen coins in the past when the wallets were reused later by other investigations.
  • Never pay immediately; verify test-decrypt of 3 files is actually returned (≈ 30 % of analysed cases did NOT receive a working key after payment).

4. Other Critical Information

  • Unlike most “big-brand” ransomware, this actor:
    – Does NOT exfiltrate data; no Tor leak blog. Ransom note says “We do not steal.”
    – Terminates itself on systems whose keyboard layout = 0x19 (Russian) or 0x43 (Kazakh) – crude but effective anti-CIS check; useful canary for SOC hunting.
  • Encryption routine purposely skips:
    %WinDir%\
    %ProgramFiles%\
    – Chrome & Edge user-cache
    – Files < 20 kB (keeps OS bootable so victim can read the ransom note).
    Consequence: machine keeps running – attackers assume higher chance of getting paid.
  • Extension collision risk: low because the appended string contains two dots (*.files_are_encrypted) most OS dialogues hide “known extensions”; don’t be fooled into thinking the file is still raw *.xlsx.
  • Double-check_shadow-copies: vssadmin is invoked by the malware BUT no delete shadows /all command executed—some volumes may still contain intact snapshots; run vssadmin list shadows from WinPE before any cleanup tools.

KEY TAKE-AWAY

Right now, offline backups are your only reliable “decryptor” for .files_are_encrypted. Patch the known entry points, harden SQL & VPN, enforce application control, and you remove > 90 % of observed intrusion paths for this specific strain.