__nist_k571__

Technical Breakdown:

1. File Extension & Renaming Patterns

• Confirmation of File Extension: The ransomware appends every encrypted file with the literal string .__nist_k571__, e.g., AnnualReport.xlsx.__nist_k571__, SalesBackup.dbf.__nist_k571__.
• Renaming Convention:
  [OriginalFileName].[OriginalExtension].nistk571
  (No random-prefix, no forced uppercase/lowercase; the extra “_” both before and after the NIST reference is intentional.)

2. Detection & Outbreak Timeline

• Approximate Start Date/Period: First sightings were reported 13–15 March 2024. Volume surged during May 2024 following the affiliate-as-a-service program on dark-web forums.

3. Primary Attack Vectors

• Propagation Mechanisms:

1. Exploits – massive scanning for:
   • CVE-2021-34527 (“PrintNightmare”)
   • CVE-2020-1472 (Zerologon)
   • RDP misconfigurations (NLA off, brute-force or password-spray)
2. Phishing e-mails – ISO/ZIP or OneNote attachments disguised as UPS/DHL shipping invoices.
3. Supply-chain compromise – poisoned Chocolatey/NuGet packages (mainly in May variant updates).
4. Lateral movement – Abuse of WMI and PsExec once the initial node is compromised.