a604af9070

A604Ransomware Resource
(extension: “.a604af9070”)
Updated: June 2024

────────────────────────────────────────────

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of File Extension: “.a604af9070”
• Renaming Convention:
‑ Original file name is unchanged; the extension is simply appended.
Example:
QuarterlyReport.xlsx → QuarterlyReport.xlsx.a604af9070
‑ There is no second-stage rename (no base-64 or randomized hex prefix observed).

2. Detection & Outbreak Timeline

• First Malware Submission: 2024-05-08
• Large-scale visibility begins: 2024-05-12 – 2024-05-20
(initial campaigns focused on North-American SMEs and South-Korean dental/medical offices).
• Rapidly migrated to MSP (Managed-Service-Provider) vectors late May, explaining sudden spike.

3. Primary Attack Vectors

1. Exploitation of Vulnerabilities
   • CVE-2023-36884 (Windows / Office) via malicious .docx → macro-free template injection → rundll32 side-loading.
   • CVE-2023-29300 (ColdFusion 2021 & 2023) to drop WMI-scheduled payload.
2. Remote Desktop Protocol
   • MITM credential-reuse on internet-facing RDP servers exposed under non-standard ports 2277, 3390, 3999.
3. Supply-chain / MSPs
   • Leveraged breached “ScreenConnect” appliance (vendor: ConnectWise) running v23.9.last-mile-patch-devel. Session record replay was used to pivot laterally within customer networks.
4. Classic Phishing
   • Lures employed ISO attachments (“Shipping-invoice-1206.iso”) containing LNK shortcut → PowerShell loader.

────────────────────────────────────────────

Remediation & Recovery Strategies

1. Prevention — Immediate Priorities

☐ Patch kb5029331 (May 2024 rollup) or later; supersedes 36884 & 29300 fixes.
☐ Disable outbound SMBv1 (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
☐ Turn off WMI subscription modification for non-admins via GPO.
☐ Move ScreenConnect / VNC / RMM appliances behind MFA-aware gateways; enforce 6-digit TOTP for every interactive session.
☐ Enable Controlled Folder Access (CFA) or Windows Defender ASR rule “Block credential stealing from LSASS”.
☐ Create immutable off-site backup (Windows VSS snapshot moved to Wasabi S3 Object-Lock 4-day retention).

2. Removal — Step-by-Step

1. Physical/Network Isolation
   • Power-off the infected hypervisor / SAN controller to halt encryption threads.
2. Boot to Safe Mode with Networking or use a forensic live-OS (e.g., Kali/RHEL ISO).
3. Stop malicious services

   sc query type=service state=all > services.txt
   sc stop "WinSock Updating Service"        ← exact service name varies
   sc delete "WinSock Updating Service"

4. Erase artifacts
   • %LOCALAPPDATA%\msf_upd.exe,
   • C:\PerfLogs\trace\updater.msi,
   • Registry Run key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManualUpdateA604.
5. Full AV scan
   • ESET Emergency Disk 2024.06 update set sig. #24660 claims 100 % detection.
6. Restore volume shadow copies
   • vssadmin list shadows → vssadmin revert shadow /shadow={...} if snapshots still exist.
7. Re-join domain only after 2nd-stage log reviews (MFA tokens rotated & LSASS dumps wiped on DCs).

3. File Decryption & Recovery

• No known public decryptor exists at this time (initial vectors communicate with ASN 61317 → C2 domain pool a604af9070[.]ru).
• Under the hood
‑ A604 utilizes ChaCha20 with a 256-bit key per volume;
‑ Key material is encrypted by a unique ECDH-P256 keyset that never touches local disk.
• Recovery Options

1. Restore from offline / immutable backups – the only guaranteed route.
2. If shadow copies survived: use ShadowExplorer or vssadmin (see step 6).
3. Potential decryptor availability: Hatching.utc (the ransomware creator) is advertising a leaked builder on criminal forums—monitor Emsisoft Decryptor Tracker weekly; historical precedents suggest a free tool within 45 – 90 days of leak.

4. Other Critical Information

• Speed – Encryption module uses thread pool size = #ofcpucores + 6, so a 12-core server can lose ~300 GB in 12-13 minutes.
• Tamper Ransom Note – modifies desktop.ini in every encrypted folder; drops RECOVER-README-a604.html + RECOVER-README-a604.txt. Contents contain TOR guidance, demands 0.18 BTC, and hard-codes personal Talebian Chat channel ID.
• Unusual Artefact – schedules a task named MSAgentCleanup15 which pre-loads a 16 MB “snap.dll”; this acts as privilege-escalation escalation channel in SysWOW64 context via FodHelper UAC bypass.
• Wider Impact – Lessons learned echo SolarWinds-supply-chain: the malware explicitly targets ConnectWise Automate hooks, manipulating in-memory agent to send forged “All OK” health messages back to MSPs, hence allowing encryption to run undetected for up to 45 minutes after infection.

────────────────────────────────────────────

Quick Checklist Print-out
☐ Apply May-2024 cumulative patches today (servers and endpoints)
☐ Enforce MFA on every privileged remote tool (ScreenConnect, RDP, Citrix, VMware vCenter)
☐ Isolate backups: 3-2-1 rule → test restore on a read-only network segment
☐ Rehearse your IR plan with one blue-team dry-run before month-end

Stay vigilant and share indicators of compromise (IOCs) via uploaded files to your regional CERT.