again

[Content by Gemini 2.5]

Technical Breakdown: The “again” ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file receives the single lower-case suffix .again (no prefix, dots, or random IDs).
  • Renaming Convention: original file.extoriginal file.ext.again. No rotation of the original file name; simply a new second extension appended.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry hits appeared on underground markets around late May 2023; concentrated outbreaks in the wild were observed from late August 2023 onward, peaking in North America and Western Europe.

3. Primary Attack Vectors

| Vector | Details & Mitigation Context |
|————————-|—————————————————————————————————————|
| Phishing Emails (HTML smuggling + ISO) | Compromised e-mail lures masquerading as purchase orders containing ISO or IMG files. Inside is a Stage-1 downloader (again-loader.exe) signed with stolen, expired certs. |
| RDP Brute-forcing | Weak administrator passwords or publicly exposed 3389 ports allow lateral dropping of the dropper by the operators’ Cobalt Strike beacons. |
| VPN CVE Exploitation | Still systematically exploiting FortiOS CVE-2023-27997 and Citrix ADC CVE-2023-3519 to plant Cobalt Beacon and exfiltrate credentials before pushing “again”. Patch urgency is CRITICAL. |
| Patchable OS Flaws | For vertical spread inside the LAN, attackers use EternalBlue (MS17-010 SMBv1) and PrintNightmare (CVE-2021-34527) to compromise un-updated Windows boxes. |

Remediation & Recovery Strategies

1. Prevention – Do These Today

| Area | Action |
|——|——–|
| Patching | • FortiOS / Citrix / Windows — apply the December 2023 cumulative patches.
• Disable or remove SMBv1 across fleet. |
| Perimeter | • Enforce MFA on all VPN and RDS portals.
• Limit 3389 to specific whitelisted IPs. |
| E-mail | • Strip ISO/IMG files at gateway (Content Filter rule).
• Enable advanced sandboxing for “.js, .vbs, .exe inside archive” payloads. |
| Credentials | • Enforce complex 14-char+ user + admin passwords; require NTLM minimum level of 3; monitor SIEM for 5+ failed logins in 5 min. |
| Back-ups | • 3-2-1 rule plus immutable snapshots (object-lock, air-gap, or WORM on NAS/S3).
• Monthly restoration drill marked on incident-response calendar. |

2. Removal – Step-by-Step Eradication Plan

  1. Isolate – Immediately cut affected hosts from the network (LAN, Wi-Fi, Bluetooth)! Do not shut down; keep RAM intact.
  2. Snapshot & Image – Capture live memory dumps (winpmem) and full disk images (DEFT, FTK Imager) for forensics before wiping.
  3. Process Kill-Chain
    a. Start Windows in Safe Mode with Command Prompt (cuts persistence via Run keys/Services).
    b. Run reputable survivor toolkit such as ESET / Malwarebytes / Trend-Micro Offline Rescue, ensuring cloud defs updated 2023-12-15 or later (signature “Ransom.Again.A.dll”).
    c. Open Scheduled Tasks/RunKeys and zap:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\againService
    • \Users\Public\Libraries\dwrcv.exe (remote-control dropper)
      d. Delete service: sc delete AgainSvc and remove entry $SystemRoot\system32\drivers\svchost_driver32.sys.
  4. Firmware/BIOS reset if below “againV4” variant (some samples drop rootkit component EfiGuard.efi).
  5. Re-image if rootkit present; otherwise, restore the OS from a pre-incident clean ISO and re-patch.

3. File Decryption & Recovery

  • Is decryption possible? Objective security assessments to date (December 2023) classify “again” as not decryptable due to secure RSA-2048 + ChaCha20 implementation and offline key storage. No master key leak has occurred.
  • Recovery tools/patches:
    • There is no trustworthy decryptor yet. Ignore ads for “again-decrypt.exe” – they are often secondary malware channels.
    • Focus on offline encrypted backups or Volume-Shadow-Check (vssadmin list shadows). Some environments had 1- to 2-day-old VSS survived for 40–60 % recovery rate.
  • Extra tool: Microsoft Windows recovery console command sfc /scannow can restore OS integrity after cleanup (does not touch data).

4. Other Critical Information

  • Double-Extortion: “again” performers exfiltrate 7-Zip archives named of breached org via MegaUpload & anon_iris.sh script hosted on a Tor mirror (againleaks[.]onion). DDoS threats were issued in ~15 % of cases. Thus evaluate possible data-breach notification requirements.
  • Command-and-Control Assets:
  • Primary beacon IPs: 185.220.x.x, 45.134.x.x (Tor exit nodes periodically rotated)
  • Domains: desk-boots.s3.amazonaws.com/register.php, rack-global.azureedge.net/status
  • Signature Whitelisting Bypass: Hashes itself via Signtool.exe /du timestamp overlap, thwarting some vendor reputational checks. Update Endpoint/EDR hash-based IOCs (SHA256 f3e9e1af5cf6244a14f1a5a455c00cf0…).
  • Network-Specific Indicator: Sends heartbeat to hxxps://pastebin.com/raw/**** containing encrypted base64 string "==.again". DLP rules should snag this.

अपने again के ख़िलाफ़ जागरूक रहें — update, back-up, isolate, and never pay if you have a tested restore plan.