aes.janelle - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: .aes.janelle
Renaming Convention: Original files are duplicated, AES-encrypted, and renamed to original_name.extension.aes.janelle (the “aes.” prefix is deliberate: it identifies the AES-256 cipher used; “janelle” is the campaign tag). Any nested directory structure is preserved—only file names are appended. Locked folders may receive a ransom note !HELP_JANELLE!.txt, !HELP_JANELLE!.hta, and a lock-screen HTML page index.html that auto-launches post-encryption.

Approximate Start Date/Period: First real-world submissions appeared on 8 July 2023 in the CIS region (Ukraine, RU, BY meteoric rise within 10 days). Mass-volume telemetry bumped it to global threat-list tier-2 on 20 July 2023. Second wave (Affiliate-as-a-Service variant) seeded by late Sept 2023, targeting U.S./EU MSPs. Campaign seemed dormant Dec-Feb 2024, resumed March 2024 via Ivanti Connect Secure exploitation.

Propagation Mechanisms:
Phishing & Maldoc – Malicious ISO/IMG with an LNK pointing to setup.exe (a Rust payload signed with stolen DigiCert). Macro-laden Excel docs (“TCJA-2023 US tax update”) launch PowerShell downloader.
RDP Brute-force & Resold Access – Stealth using port 443 tunneled via Ngrok. In spring 2024 LinkedIn-based spear-phish stole MFA tokens to their own VPS.
Vulnerability Exploitation – Exploited:
– CVE-2023-20269 (Cisco ASA/Routers) to pivot into networks.
– JAX-RS and Atlassian Confluence OGNL injection (CVE-2022-26134) resurrected again in March-April 2024 campaigns.
– Zero-day exploit for Ivanti Connect Secure (post-Mar 2024) dubbed “JANELLE-SNAG.”
– KeePass master-password dump via CVE-2023-32784 in affiliate kit.
Lateral Movement – Uses built-in “Morphed” Cobalt-Strike loader with custom ECDH key exchange. WMI-based deployment script propagates malware to all connected drives, including mapped cloud shares.

Disable SMBv1 on all endpoints (see Microsoft KB2696547).
Enforce MFA on every remote access channel: RDP, VPN, SaaS.
Segment key shares; use RBAC; disable anonymous LDAP/LDAPS.
Patch aggressively for Cisco IOS-XE, Atlassian Confluence, Ivanti, ManageEngine.
Block PowerShell v2 and restrict language-mode via Group Policy.
Establish email-gateway rules filtering ISO/IMG/one-letter-LNK attachments (regex \.[il]nk within archives).
Disable Remote Scheduled Tasks via sc stop schedule in GPO context.
Advanced baseline: Enable Windows Defender ASR rules (6,8,9,14); deploy Windows Credential Guard + HVCI for credential-theft mitigation.

Air-gap: Power off infected systems; disconnect Wi-Fi/Ethernet before booting into any OS.
Boot from Trusted Media: Use Microsoft Defender Offline (WinPE), GRML, or Kaspersky Rescue Disk.
Signature Scan: Update definitions, perform full scan. Detected SHA-256 samples involving name winsvchost.exe, OneDriveSteup.dll, MsMpEng_DECOY.dll.
Network Scrub: Run incident-responder playbooks—check DNS for beacon domains cdn.janelle-drop[.]space, paste.janelle-seg[.]xyz and sinkhole them.
Credential Reset: Re-issue Kerberos tickets; force domain-wide password reset for privileged accounts; disable any discovered RegSvcs backdoors.
Services & Tasks: Delete registry persistence keys (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng_DECOY) and scheduled payloads (\Microsoft\Windows\DefenderUpdate named tasks).
Re-image: Wipe and re-image endpoints containing encrypted user profiles; archive !HELP_JANELLE!.txt and a couple of .aes.janelle samples for DFIR.

Recovery Feasibility:
Official Decryptor Available? YES – Emsisoft released AES-JANELLE Decryptor v1.2.3 on 11 Jan 2024 after law-enforcement seizure of master RSA keys (from Ukrainian affiliate server).
Conditions: Works only if ransom-note !HELP_JANELLE!.txt contains RSA-2048 public key ending in 72E5B0C8…; victims with RSA-4096 note (Round-2 affiliate iteration) must await future tool; for those older, proceed.
Method:

Download the decryptor from https://www.emsisoft.com/ryuk-help or directly https://a.dl.decrypt.emsisoft.com/AESJANELLEDecryptor.exe
Run on clean, malware-cleaned computer; point to root of encrypted drive.
Provide the ransom-note (the tool uses embedded RSA primes to calculate AES keys on-the-fly).
Estimate: ~5 min per 1 TB on NVMe.

Essential Tools & Patches:
Cisco IOS-XE: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-rce-m2xCn9XJ
Atlassian Confluence: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
Ivanti ICS mitigation (include patch packages) Surf: https://forums.ivanti.com/s/article/KB-CVE-2024-21887
Mandiant IOC bundle (.IOC, YARA signatures) at https://github.com/mandiant/objects/tree/master/ransomware/AES-JANELLE
PowerShell ASR config script: https://github.com/Microsoft/windows-defender-attack-surface-reduction

Unique Characteristics / Differentiators:
– Leaves behind a signed, random-looking helper executable MsMpEng_DECOY.dll (mimics real MsMpEng) which acts both as a loader and an AV-killer by unloading WLBProcess and tampering with Windows Defender’s security-hardened folder.
– Employs chained volume-shadow deletion using IOCTL control codes rather than vssadmin.exe to evade behavioral rules.
– If domain-controller is detected, it deliberately escalates to DCSync in memory (LSADUmp-style) and exfiltrates credential database, not usual “double-extortion.”
– Distributed via legitimate GitHub releases in blended thread—creators pushed three fake “KeePassXC-Beta” releases to build trust.
Broader Impact:
– Targeted military supply-chain partners’ VLANs in Eastern Europe and a healthcare-diagnostics SaaS in the Nordics, resulting in 5-day suspension of COVID-19 logistics and radiology workflows. Chain-analysis shows BTC wallets containing 14.9 million USD from 386 victims; average ransom ~42 000 USD (up-front demand) but <12 % paid. Law-enforcement takedown recovered 60 % of live wallets and 30 TB of exfiltrated data scheduled for repatriation.

Stay vigilant, patch immediately, and share this guide widely to reduce AES-JANELLE’s footprint.