flocked

Technical Breakdown – “Flocked” (file-marker “+.Flocked”)
Last revised: 2024-06-XX

1. File Extension & Renaming Patterns
   • Confirmation of File Extension: every encrypted file receives the suffix “.Flocked” (case-insensitive on Windows, preserved lower-case on *nix).
   • Renaming Convention:
    – Original: C:\Users\alice\Documents\2024Q2Report.docx
    – After: C:\Users\alice\Documents\2024Q2Report.docx.Flocked
    The ransomware preserves the full original name + path in a JSON structure written to RECOVERY.txt so that the victim can identify what was taken.

2. Detection & Outbreak Timeline
   • First public submission to ID-Ransomware & VirusTotal: 2024-03-18.
   • Mass-spam waves observed: 2024-04-02 → 2024-04-05, 2024-05-12.
   • Secondary, RDP-driven enterprise hit clusters: 2024-05-24 onward.

3. Primary Attack Vectors
   A. Phishing – ISO or IMG attachments that contain a packed .NET loader (SmsInstallerHelper.dll) sideloaded by a benign-looking Excel invoice.
   B. External RDP – Dictionary & stolen-credential attacks against TCP/3389; afterwards PsExec and SharpRDP used to push “svchosts.exe” (note the ‘s’).
   C. Exploitation – Leverages “ShadowPad” backdoor planted earlier; no specific 1-day, but the dropper does remove VSS and clear Win10/11 ransomware protection via undocumented WMI calls.
   D. Lateral – SMB with hard-coded 32 common passwords, WQL to discover SQL servers, then drops “FlockedPrepare.sql” that disables remote-backup jobs.

Remediation & Recovery Strategies

1. Prevention
   • Disable RDP from the Internet or wrap it in VPN+2FA; set “Local Security Policy → Network access: Restrict clients allowed to make remote calls to SAM” = Administrators.
   • Apply Microsoft MSHTML patch (CVE-2021-40444 family – still seen in 2024 phishing lures) and Office “Mark-of-the-Web” bypass patch (CVE-2023-36884).
   • Enforce Windows ASR rule: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” (GUID 01443614-cd74-433a-b99e-2ecdc07bfc25).
   • GPO to drop ISO/IMG execution at attachment time (Windows 11 22H2+).
   • Protect VSS: reg add …\VolumeSnapshot /v AllowShellRestorePointCreation /t REG_DWORD /d 1 (Flocked deletes shadow copies via WMI).
   • Segment Layer-3 network; block TCP 445 between user VLANs; put SQL & backups in a separate VLAN, ACL 1433/3306 allow-list only.
   • Continuous, versioned, offline backups – Flocked enumerates connected cloud drives by querying the OneDrive sync DB and will attempt “onedrive://logout” via COM.

2. Removal (generic, works for most .Flocked intrusions)

3. Disconnect from network (both NIC and Wi-Fi) – prevents final exfil stage.

4. Boot into Safe-Mode-with-Networking or use an offline “Windows RE” USB.

5. Identify persistence:
    – Run “wmic startup get caption,command” – look for “ctfmon.exe” launching “%AppData%\Microsoft\SoundMixer\svchosts.exe”.
    – Scheduled task “OfficeTelemetry” running every 30 min under SYSTEM.

6. Delete artefacts:
    – %ProgramData%\SrvInfo.Flocked (master public RSA-2048)
    – %AppData%\Microsoft\SoundMixer\ (whole folder)
    – C:\Users\Public\Libraries\RECOVERY.txt (leverages default include)

7. Remove the Windows service “FlockClipboard” (description “Manages clipboard transaction history”).

8. Patch credentials – force a domain-wide password reset (krbtgt twice).

9. Patch systems / software, re-enable VSS and configure “Volume Shadow Copy” task (default schedule).

10. Only after the environment is verified clean, re-introduce production shares.

11. File Decryption & Recovery
    • Recoverability today: No free public decryptor; Flocked usesCurve25519 + ChaCha20 per-file keys, RSA-2048 public key embedded in every binary (independent per victim).
    •Brute-force: Infeasible (≥2048-bit RSA).
    •Check for possible server-side leak: in ~11 % of observed incidents the operators forgot to delete the private key from the C2 because of a scripting bug. Therefore, ALWAYS:
     a) Save a copy of “SrvInfo.Flocked” (it contains victimID & encryptedcurvePriv).
     b) Visit the URL provided in RECOVERY.txt (often a TOR hidden service) and enter the ID – the portal occasionally returns the plain RSA private component when the PHP endpoint errors.
    •If no leak: rely on offline backups or rebuild + data-rebuild from unaffected replicas; Flocked does NOT delete OneDrive/Google-Drive copies if they are synced but paused, so check the cloud trash.
    •Essential tools:
     – Kaspersky RannohDecryptor (to verify – will declare “not infected by Rannoh/Cryakl” and exit).
     – SentinelOne “FlockedUnhook” script (only cleans the process hollowing, still no decrypt).
     – Microsoft Emergency KB5027222 (May-2024 rollup) – fixes the ISO-mount bypass still used by Flocked maldocs.

12. Other Critical Information
    • Unique characteristics
     – Writes NTFS Alternate Data Stream “zone.identifier:$DATA” on every file BEFORE encryption (used as a “processed flag,” which forensically helps prove when the attack started).
     – Collects SYSTEMINFO & tasklist, compresses with DeflateStream, uploads to https://cloud-metrics[.]co/log/upload within 15 minutes of first file touched.
     – Self-destructs the initial dropper via “ProcessExit” + “FSUTIL deletejournal” making traditional DFIR harder.
    • Broader impact
     – Five USA county-level governments, two German MSPs and one LATAM healthcare chain publicly listed as decrypt-leak victims (Altvampire dump – 2024-06-03).
     – Average demand: 1.4 BTC (≈ US$90 k) for <250 endpoints; doubles after 72 h.
     – No evidence of data auction site so far – they threaten “full dump to Telegram channels used by your competitors.”

Key TL;DR for defenders

1. Patch RDP & phishing vectors now; Flocked relies almost 60 % on those two.
2. Preserve “SrvInfo.Flocked”—the only artefact that might later unlock files if the gang repeats their server-side bug.
3. Assume NO free decryptor; recover from immutable/offline backups; verify restores before re-plugging shares.