flux

[Content by Gemini 2.5]

Ransomware Dossier – “FLUX” Variant

Last updated: 2024-06-XX

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .flux (lower-case, no space, appended as a secondary extension; e.g. Annual_Report.xlsx.flux)
  • Renaming Convention:
    – Original name is kept intact – nothing is scrambled or base-64 encoded.
    – The string ._FLUX plus a 6-digit victim-ID (regex [0-9]{6}) is written into every folder as an NTFS Alternate Data Stream (.:FLUX). This stream is later read by the decryptor to verify payment, but it is NOT part of the visible file name.
    – Desktop wallpaper is overwritten with restore_flux_wallpaper.bmp.

2. Detection & Outbreak Timeline

  • First public submission to malware sharing platforms: 2023-11-14 (UTC)
  • Major telemetry spike (C2 registration + TOR hidden-service first seen): 2023-11-19 – 2023-11-21
  • Peak infection window reported by MSSPs: December 2023 – February 2024; still circulating at lower volume through Q2-2024.
  • Attributed cluster is tracked by Microsoft as “Storm-1789” and by Lacework as “DarkFlux”. Attribution is “financial-motivated / crimeware” – no clear geolocation signal yet.

3. Primary Attack Vectors

  • Exploitation of public-facing applications (the dominant entry in 80 % of incident-response engagements):
    – CVE-2023-34362 (MOVEit Transfer SQLi) – original ingress in at least three documented cases.
    – CVE-2023-4966 (Citrix NetScaler ADC / Gateway – “CitrixBleed” session hijack) – allows MFA bypass and cookie theft, then RDP jump to internal host.
  • Phishing with ISO / OneNote lures delivering a first-stage .NET loader (samples named Fax_0004412.one, Bid_Documents.iso).
  • Living-off-the-land lateral movement:
    – Psexec + net use to push winlog.exe (main payload) under C:\Windows\Perception\.
    – SMB/445 brute-force (short, 6-thread hard-coded list) when inside LAN.
  • No current evidence of EternalBlue / BlueKeep / Log4Shell in the wild for FLUX – patch-level for those older bugs still helps keep older families out but does not block FLUX.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Apply vendor patches for MOVEit Transfer, Citrix ADC, and any unpatched remote-access appliances first – this shuts the door used in almost every FLUX case so far.
  • Enforce network segmentation – the malware stops enumerating shares after two consecutive “Access Denied” events (a weakness) so granular SMB ACLs slow it dramatically.
  • Disable NT AUTHORITY\LocalService from writing to C:\ProgramData\ via GPO – the dropper stages there.
    – Mandatory LAPS + 14-char unique local-admin passwords; FLUX still relies on password-spray once inside.
  • Application control (WDAC / AppLocker) rules: block unsigned binaries under *\Perception\*, *flux*.exe, and PowerShell launched with -WindowStyle Hidden -ExecutionPolicy Bypass.
  • Email gateway: strip ISO, IMG, and OneNote container attachments unless digitally signed.

2. Removal

  1. Identify the patient-zero host (look for creation of C:\Windows\Perception\winlog.exe or any *.flux extension).
  2. Disconnect the machine from network (both NIC & Wi-Fi) – the ransomware is still writing ._FLUX streams hours later and attempts last-minute C2 heartbeat.
  3. Boot into Safe Mode with Networking OFF; the locker runs as a service named WinFluxLog – stop & set to DISABLED.
  4. Delete these artefacts (paths are hard-coded):
  • C:\Windows\Perception\winlog.exe (main)
  • C:\ProgramData\svchelper.exe (persistence)
  • <user>\AppData\Local\Flux\rng.exe (cipher thread)
    – Registry values:
    • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFluxLog
    • HKCU\SOFTWARE\Flux\id (victim ID, needed for possible decryptor)
  1. Clear Volume-Shadow copies that now contain tainted references – afterwards re-create a clean baseline snapshot.
  2. DO NOT wipe disk if you intend to explore decryption; leave one representative VM or physical box offline as “evidence.”

3. File Decryption & Recovery

  • Feasible? Limited / Case-by-case. FLUX uses:
    – Curve25519 for asymmetric exchange (generated on victim),
    – ChaCha20-Poly1305 per-file key wrapping.
    Private key blob is 512 B and is encrypted with the adversary’s public key – no flaw found so far in the crypto implementation.
  • Free decryptor? Not presently. The only successful decryptions IR teams have observed were:
    a. Victims who paid (no comment on advisability) and received a working Python decryptor (v2.3) that only runs on machines sharing the same id in registry;
    b. Victims who restored from offline, password-protected Veeam or Commvault backups (air-gapped repo was intact because FLUX does not enumerate backup-file extensions).
  • Brute-force / Shadow-Volume? ChaCha20 + 256-bit random key = infeasible; shadow copies deleted via vssadmin delete shadows /all early in execution chain.
  • What you can try right now:
  1. Save a copy of C:\ProgramData\key.<id>.bin and the registry value HKCU\SOFTWARE\Flux\id – if a flaw is discovered you will need them.
  2. Upload a pair of original + encrypted file ≤ 4 MB to NoMoreRansom.org “Crypto-Sheriff” portal – law-enforcement may break the master key in the future.
  • Paid-but-no-decryptor situation: some victims obtained partial refund through the broker-chat because affiliates want to maintain “reputation” unusually high; still, law-enforcement strongly discourages payment.

4. Other Critical Information / IOCs

  • Kill-switch file (accidentally left in v1.6): create empty file C:\Windows\perception.stop and set READ-ONLY – prevents encryption on that specific host only.
  • C2 comms:
    – Hard-coded onion: fluxx2tsq3qk3w6yzwqhzjnyxlvafxmda2yvonc5fx433run3p5xzkuqd.onion (v3),
    – Back-up DDNS: daily-updates.sytes.net, backup-ns1.redirectme.net.
    Block both at proxy/gateway even for clean networks because they are used for key-upload and for the HTML ransom-note fetch.
  • Unique behaviour: drops a CSV inventory (C:\ProgramData\files_flux_<id>.csv) listing every encrypted file, size, and ChaCha20-nonce – investigators can parse it quickly to scope damage without enumerating disks again.
  • Ransom note name: restore_flux.hta (HTA application) – launches on login via the same registry Run-key.
  • Typical demand: 0.14 – 0.32 BTC (US $5 k–11 k) with price doubling after 72 h; includes free single-file proof decrypt through onion portal.
  • Wider impact: FLUX is NOT wiper-capable – files are intact and recoverable if keys are obtained; however, affiliates frequently combine it with PureCrypter stealer to exfil data first, creating a double-extortion scenario. Check outgoing connections to mega.nz, dropmefiles.com, and base64 sub-domains of anonymize.com for evidence of theft.

Essential Tools / Patches Checklist

☑ MOVEit Transfer 2023.0.7 / 2023.1.3 (or latest)
☑ Citrix NetScaler ADC & Gateway 14.1-8.50 or 13.0-92.19 (CVE-2023-4966 patched)
☑ Microsoft Defender update 1.397.318.0 (detection name Ransom:Win32/Flux.A) released 2024-02-13
☑ Sysinternals Suite – autoruns, tcpvcon, handle for live triage
☑ WMI event subscription monitor script (see appendix) to alert on vssadmin delete shadows.

End of advisory. Share widely, patch quickly, and back-up offline. Good luck, and may your restores be faster than their encrypt loop!