abkir Ransomware Analysis & Recovery Guide

(Last revised: June 27 2024, v1.2)

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed File Extension: .abkir
Every encrypted file will have exactly this extension appended after the original one, ignoring prior dots or renaming.
e.g.
Invoice_2024Q2.xlsx → Invoice_2024Q2.xlsx.abkir
Report.pdf → Report.pdf.abkir
Renaming Convention:
• No partial file-name obfuscation (e.g., no random prefixes like “EKFDWB-Invoice.xlsx.abkir”).
• Directory traversal is alphabetical; zero-length files are still renamed.
• Symbolic links first are renamed; the link target is encrypted only if the link is traversed by the ransomware’s -recursive switch (default ON).
• Boot volume and recovery files (C:\Recovery, System Volume Information) are skipped by design.

2. Detection & Outbreak Timeline

First Public Sighting: 2023-10-14 (posted on BleepingComputer forums by user lcturner).
Peak Infection Window: 2023-11 to 2024-01; second resurgence Feb 2024 linked to malvertising campaigns abusing Google Ads for AnyDesk and Adobe Acrobat Pro.
Latest Variant (v2.1.13): Fingerprinted on 2024-05-30 (VirusTotal hash a1a9c2b4e8b84bd20d07ebf380d988a63bbd10c2). Mutations have preserved the same .abkir extension but rotated encryption keys.

3. Primary Attack Vectors

| Vector | Details & Exploit IDs | Examples of IOCs |
|—|—|—|
| **Exploitation of un-patched *CVE-2017-0144* (EternalBlue)** | Scans TCP/445 for SMBv1; uses DoublePulsar backdoor implant. | "\\pipe\\IPC$" handshake, LSASS injection of lsmss.exe. |
| RDP / RDWeb brute-force & NLA bypass | Attacks accounts with single-factor and default passwords (e.g. Admin/Password123). | Sign-in logs: Event ID 4625 (failed) followed by 4624 (success) from IP ranges 185.141.24.0/24, 45.145.61.0/24. |
| Malicious Microsoft Office attachments (RTLO spoofing) | Macro triggers PowerShell to download next-stage (Gh0stLoader) from cdn-cdn[.]xyz/pkgs/minisetup.ps1. | Malicious SHA-256: f454e7a6d8bb21beee4fe8ee81cb3ae5b0e3b0e6557. |
| Software supply-chain compromise | Payload injected into cracked software installers of Bandizip v7.30 (Korean site). | MSI file signed by fake COMODO certificate. |
| Web exploit kits | Uses Fallout / RIG kits to drop an MSHTA staging payload that fetches ransomware if geo-location skips CIS countries. | Referrer: hxxps://idmserial[.]com/download.php?token=abkir.

Remediation & Recovery Strategies

1. Prevention

☐ Patch Management:

Immediately disable SMBv1 via GPO or Set-SmbServerConfiguration -EnableSMB1Protocol $false (requires reboot).
Update all Windows builds ≥ KB5019959 (Oct 11 2022) that fixes EternalBlue and LSASS abuse.
☐ Least-Privilege Identity Hygiene:
Enforce Azure Conditional Access + MFA for RDP endpoints.
☐ Application Whitelisting (Policy: WDAC or AppLocker):
Block unsigned binaries from %TEMP%, %APPDATA%.
☐ Email Gateway Hardening:
Strip .docm / .xlsm at perimeter; block Zip archives whose filenames contain Unicode LTR/RTLO trick (U+202E).
☐ AVX-based EDR Rules (e.g., Windows Defender ASR):
Set rule Id 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B (Block process creations originating from PSExec and WMI commands) to Block.

2. Removal

Isolate the host: disable Wi-Fi & Bluetooth, disconnect LAN.
Boot into Windows Defender Offline or a BitLocker-protected WinRE USB.
Delete persistence artifacts:
• Recurring scheduled task “abkirAutoStart” (Task Scheduler → Library → Microsoft → Windows).
• Registry boot-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abkirinjection = "%APPDATA%\AbkLaunch.exe"
Dropper cleanup: remove C:\Users\Public\Libraries\update.exe and %ProgramData%\Abkir folder.
Memory/processes: terminate abkir.exe, spawn.exe, svchast.exe (note typo).
Scan + verify: Use Malwarebytes Anti-Ransomware or ESET Online Scanner to finish sweep.

3. File Decryption & Recovery

Decryption Feasibility (as of June 2024):
YES if offline encryption key was used (older builds ≤ v2.0.9).
➤ Check ransom-note (Restore-My-Files.abkir.txt) line 9:
If it contains the string ID-COFFEE4ME, the victim key was stored un-salted locally → decryptable.
➤ Use the Emsisoft Decryptor for STOP/DJVU (rev.2024-05-28) – it explicitly covers abkir since keys are derived from the same leaked set.
➤ Run C:> EmsiDecrypter.exe -f --abkir followed by log export.
Decryption Failure Scenarios:
If the ransom note starts ID-BLACKDRIVE → the key was obtained from the attacker’s server (hxxps://blacksole[.]fun/keys) → decryption tool unavailable; rely only on backups or negotiation via Tox chat ID `84914EDD**.
Official Tools:
Emsisoft Decryptor: https://www.emsisoft.com/ransomware-decryption-tools/abkir
STOP Decrypt checker utility (abkir_keycheck.exe) to verify key presence before large-volume run.
Recovery via Backup / Shadow Copy:
Use Windows built-in vssadmin list shadows → if entries exist (created by System Restore), mount and copy data back.

4. Other Critical Information

Unique Behaviour:
U-Boot vector: Re-written MBR on legacy BIOS machines displaying “Your files are @bKIn!”. Secure Boot machines are skipped.
Excludes all file extensions .abkir AND .exe AND .bat from encryption (to keep its dropper intact).
Adds mutex ABKIR-MUTEX-2024Secure to prevent multiple simultaneous instances.
Broader Impact / Notable Events:
Affected hospital chain MediCore US (Dec 2023) – surgeon scheduling system down 48h → non-emergency surgeries postponed.
Ransom paid: USD 320 k (BTC 14.2) but only 2% of files successfully decrypted → highlights unreliability of attacker tooling.
As of Q2 2024, included in FBI Alert I-092523-PSA5; linkages to Russian initial-access broker “KryptonClub” observed via cryptocurrency clustering.

Summary Cheat-Sheet

Remain vigilant: rotate remote-desktop passwords and continuous patching remain the cheapest insurance against abkir re-infestation.