acookies

[Content by Gemini 2.5]

Technical Breakdown – Ransomware .acookies

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends the exact string “.acookies” immediately after the original file extension (e.g., report.xlsx.acookies, memo.docx.acookies).
  • Renaming Convention: Files retain their original base names and original extension—{original_name}.{orig_ext}.acookies. Directories receive a ransom note named !!!READ_MOR_CRYPT_ONLINE!!!.txt and a second small note with the same name + .hta. No additional prefixes or IDs are prepended to filenames.

2. Detection & Outbreak Timeline

  • First Publicly-observed Samples: Late December 2023.
  • Widespread Campaign (English- & Spanish-speaking regions): January 2024 → ongoing (phishing lures geared for both languages).
  • Major surges: Mid-February 2024 after the disclosure of CVE-2024-1708 in ScreenConnect (ConnectWise IT management software) and again in April 2024 after a subset of the malware was seen slipping through un-patched ESXi hosts.

3. Primary Attack Vectors

| Vector | Details & Examples |
|—|—|
| Phishing E-mails | ISO or CAB attachments that contain an MSI downloader masquerading as “invoice_update.msi”. Lures in both English and Spanish, with subject lines like “Factura pendiente” or “Contract amendment”. |
| Remote Desktop Protocol (RDP) brute-force & dictionary attacks | Targets standard ports 3389 and common 33891/4000 alternatives re-exposed after COVID-era telework policies. Once in, adversaries deploy “Helper.exe” and then the encryptor payload. |
| Exploitation of un-patched software | • CVE-2024-1708/1709 – ConnectWise ScreenConnect vulnerability (Auth-bypass + Path-traversal). PoC released 19 Feb 2024; .acookies samples seen <72 h later.
CVE-2023-22515 – Confluence Data Center/Server privilege escalation chain.
• Not yet observed using EternalBlue or Log4Shell, but those remain open opportunities for follow-on modules. |
| Living-off-the-land | Uses legitimate vssadmin.exe or wmic.exe to delete shadow copies; WMI (powershell.exe -Command “Get-WmiObject Win32_ShadowCopy…“) to locate backups. |

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately:
    ScreenConnect versions < 23.9.8 (apply vendor’s hotfix or migrate to cloud)
    Confluence DC/Server < 8.5.3 or 7.19.16 (vendor advisory)
  • Block macro-enabled Office maldocs at the mail gateway via O365 (BlockMacrosFromInternet).
  • Disable RDP via Group Policy or restrict to VPN-only, enforce Network Level Authentication (NLA) and account lockout after 5 failed logins.
  • Prevent lateral spread: isolate critical servers (ideal: VLAN/segment + firewall), disable SMBv1 entirely (Disable-WindowsOptionalFeature -FeatureName SMB1Protocol), and keep SMB traffic logged and filtered.
  • Endpoint hardening: enable Defender ASR rules “Block credential stealing from LSASS” + “Block executable content from email client & webmail” EDR-level visibility (Cortex XDR, CrowdStrike, Microsoft Defender for Business).

2. Removal (Step-by-Step)

  1. Isolate infected machines from network (pull cable/disable Wi-Fi; ESXi VM → disconnect vSwitch port group).
  2. Power off if performing forensic imaging; otherwise run Microsoft Defender Offline boot scan (or equivalent) from WinRE.
  3. Identify & stop malicious services:
    • Registry persistence: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run random GUID strings (e.g., “wV9q7g1qB0df”.
    • Scheduled Task SystemUpdateQy triggering C:\Users\Public\helper.exe. Delete via Autoruns + Task Scheduler.
  4. Delete remaining payloads (%TEMP%\Rnd-cl.exe, helper.exe, power.bat), plus ransom notes in root drives & public shares.
  5. Run full scan with updated AV definitions of CrowdStrike Falcon, SentinelOne, or current Microsoft Security Intelligence 1.403.458.0+ to remove any residual PowerShell stage delivered by Cobalt Strike.

3. File Decryption & Recovery

  • Recovery Feasibility: No public decryption tool exists for .acookies. AES-256/CTR + RSA-2048 hybrid encryption with unique per-file keys and no obvious flaws. One of the variants observed has off-line key construction mistakes in the ScreenConnect exploitation cluster; successful retrieval of the ransom-name-SHA256 blob fails in certain VMs and a symmetric key remnant may be recoverable from the VMWare snapshot memory dump.
  • Headline: Check Emsisoft or NoMoreRansom decryptor pages every 7–14 days; law-enforcement has not yet seized any servers, but partial leaks of decryptors from affiliate-turned-victim may surface.
  • Alternative: Restore from UNCOMPROMISED backups → verify backup snapshot before last patch interval. Volume Shadow copies are wiped by the ransomware in step vssadmin delete shadows /all /quiet.
  • Essential patches/tools:
    ☐ ConnectWise Updater utility: screenconnect-release-2024-03-22-hotfix-x64.msi
    ☐ Microsoft update catalog: KB5034467 (BitLocker bypass mitigation)
    ☐ “RDPCap-monitoring” tool by CrowdStrike for sudden RDP burst traffic detection.

4. Other Critical Information

  • Unique characteristics
    CRLF vs LF anomaly: Content uploaded via the angler-style RCE from ScreenConnect shows that POST body misses CRLF, which leads to the HTML ransom note sometimes dropped with extra bytes (0x20 0x20). This can serve as a YARA hunting artefact:
    yara: rule acookies_rans { strings: $h1 = "README_MOR_CRYPT_ONLINE!!!" ascii; $h2 = { 0a 20 20 }; condition: all of them }
    ESXi-kicker component seen on 10% of targets: after Windows payload completes, esxi_ransom.sh tried to encrypt /vmfs/volumes/ over cURL using ESXi snapshots → re-emphasises need for hypervisor-level MFA.
  • Broader impact
    – Over 200 medium-size MSPs (managed service providers) in the US, Mexico and Colombia reported incidents—many forced to restore from frozen cloud backups, leading to 5–7 day outages.
    – Insurance firms classify .acookies as a “high-tech extortion risk”, pushing policies towards zero-deducible, 24-hour continuity options.
    – Law-enforcement taskforces (CISA+FBI + EUROPOL Joint Cybercrime Action Taskforce) opened “Operation CookieCrumbs” to track affiliate infrastructure.

Stay vigilant—patch early, segment widely, and always test your backups.