filgzmsp

[Content by Gemini 2.5]

Ransomware Brief – Extension “.filgzmsp”

(Community-use quick-reference – last updated 2024-05-28)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Exact extension added: .filgzmsp (lower-case, 8 chars, no second extension).
  • Renaming convention observed in the wild:
    <original_name>.<original_ext>.ID-<5-8_hex_digits>.[attacker_email].filgzmsp
    Example:
    ProjectQ3.xlsx.ID-9F4C2E01.[[email protected]].filgzmsp

2. Detection & Outbreak Timeline

  • First uploaded to public malware repositories: 2024-03-17 (UTC).
  • First large-enterprise ticket opened: 2024-04-02 – manufacturing sector, Central Europe.
  • Peak activity window: 2024-04-15 → 2024-05-05; still circulating at low volume through May-2024.

3. Primary Attack Vectors

  1. Phishing with ISO/IMG lures – e-mail titled “QuickBooks Invoice” or “DHL Shipping Correction”; attachment mounts as DVD, contains a .BAT + hidden .NET injector.
  2. RDP brute-forcing – using ~2 k common passwords plus freshly-stuffed credentials (2023 breaches). Once inside, attacker manually runs “filgzmsp-prep.exe” from C:\PerfLogs.
  3. Confluence CVE-2023-22515 – several Linux victims decrypted notes in /opt/atlassian/; Windows infection follows manual movement over SFTP.
  4. Drive-by via fake “Chrome-update.js” dropped by compromised WordPress sites (JS/Phoenix exploit kit). EK writes Monver.dll → rundll32 → filgzmsp payload.
  5. No current evidence of SMB/EternalBlue auto-propagation; worm module absent (unlike 2017 WannaCry). Network spread relies on harvested credentials + PsExec.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

E-mail: Strip ISO, IMG, VHD, BAT at gateway; mandatory macro-blocking for external Office docs.
RDP: Disable if unused; else enforce NLA, 2FA, lockout after 3 attempts, 15-char min. password.
Confluence (or any public-facing app): Patch ≤15 days; add WAF rule for CVE-2023-22515 indicator /setup/*.
Disable WebDAV, SMBv1 (no evidence of abuse yet, but removes 2017-era risk).
Application whitelisting (WDAC/AppLocker) – blocks living-off-land tools the attacker uses to stage payload (PsExec, certutil, wget).

2. Removal (Windows host)

  1. Isolate – pull NIC or disable Wi-Fi before powering on (prevents last-stage note download).
  2. Boot from external WinPE/USB → run MSERT / ESETRescue / Kaspersky Rescue (all detect filgzmsp as Ransom.Win32.FILGZMSP.A).
  3. After AV finishes, manually verify persistence keys (attacker adds):
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\`WinServGts=C:\Users\Public\Libraries\drvsvc.exe`
  • HKCU\Environment\`UserInitMprLogonScript=mshta javascript:…`
  1. Remove scheduled task “WinServGts” (Trigger: At logon).
  2. Clear WMI EventFilter/Consumer pair mailFilter created for re-infection.
  3. Reboot → re-scan → only when clean → re-join network.

3. File Decryption & Recovery

  • No flaw found (as of 2024-05): Encryption = ChaCha20 with 256-bit key, key encrypted by RSA-2040 (attacker-held private).
  • No public decryptor released; ransom note README_TO_RESTORE.txt points to TOX ID + onion site; ID contains victim-specific RSA blob.
  • Recovery option #1 – backups: filgzmsp deletes Volume Shadow Copies (vssadmin delete shadows /all) but often skips 3rd-party snapshot stores (Veeam, Acronis) kept on NAS via iSCSI.
  • Recovery option #2 – free data only: Recycle Bin & temp directories sometimes intact; also check cloud sync services (OneDrive/SharePoint auto-versioning is retained).
  • Recovery option #3 – professional negotiation / law-enforcement: Current average ask = 0.73 BTC; FBI IC3 reports 30 % of companies who paid received working decryptor (slow: 2–4 MB/s, so 10 TB ≈ 30 days).
  • Still, paying is discouraged; sectors under GDPR/HIPAA often still face regulatory fines even after ransom payment.

4. Other Critical Information

  • Unique traits:
    – Drops canary file c:\users\public\upds.dat; presence tells attacker infection succeeded.
    – Skips files whose path contains “.git”, “node_modules”, “Windows”, “Tor Browser”, “Mozilla” – intended to keep browser/OS intact so victim can visit payment portal.
    – Performs 1-byte overwrite & delete on <100 MB Office docs AFTER encryption (defeats some raw forensics).
    – Timer in note is real – samples showed 25 % price increase after precisely 72 h (based on attacker’s server time sent in the ransom GET request).
  • Broader impact:
    – Disproportionately hits small legal & accounting firms (easy RDP + valuable data).
    – Because note demands contact via TOX (P2P) instead of e-mail, researchers have harder time tracking victim count; only ~220 submissions to ID-Ransomware so far.
    – Linux-hosted Confluence servers encrypted with ELF variant “filgzmsp.lin”; ransom note identical except wallet address rotated – same actor, cross-platform build.

Essential Tools / Patches to stage now (all free):

  • Microsoft “Health Check” (automatically disables RDP if unused)
  • Atlassian Confluence 8.5.4 LTS or 8.8.0 (patches CVE-2023-22515)
  • MSERT (Microsoft Safety Scanner) – sig update 1.391.441.0 detects filgzmsp.
  • “ShadowCopyView” v1.05 – quickly check if any VSS still alive before restore.
  • Keep | Offline | Backups | (3-2-1 rule).

If you identify .filgzmsp inside your environment, treat it as human-operated ransomware: assume lateral movement, identify privileged accounts used, rotate all credentials AFTER cleanup, and perform full threat-hunt for any Cobalt Strike or AnyDesk remnants the intruder typically plants for re-entry.

Good luck – stay patched, stay segmented, and never whitelist an ISO from an invoice e-mail!