angus

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by the “Angus” ransomware family receive the suffix .angus appended to their original filenames.
  • Renaming Convention: Original filenames are not altered before the extension is added—e.g., “2024-Q1-Finance.xlsx” becomes “2024-Q1-Finance.xlsx.angus”. After encryption completes, a plain-text ransom note named RESTOREFILESINFO.hta is dropped into every affected folder (a full-stack note is also left on the desktop).

2. Detection & Outbreak Timeline

  • First Wild Sightings: Angus was first observed in the third week of May 2024 by multiple Threat Intelligence feeds, with a sharper ramp-up through early June 2024.
  • High-profile Incidents: Public disclosures started surfacing on 28 May 2024, when a French logistics firm posted IOCs on Twitter. Kaspersky, SentinelOne and CISA all released initial advisories on 3 June 2024.

3. Primary Attack Vectors

| Infection Channel | Details & Examples |
|—|—|
| Phishing (email attachments) | Malicious ZIP → LNK shortcut → HTA stager. Initial lures are themed as “Overdue Invoice #XXXXX” that contain macro-laden DOCM or Excel-DDE payloads if the LNK is executed. |
| Exploitation of Public-Facing Services |
CVE-2023-27532 in Veeam Backup & Replication (port 9401) used for lateral movement.
CVE-2023-34362 (MOVEit Transfer) seen in several original compromise nodes.
Fortinet FortiOS SSL-VPN (FG-IR-23-053) credential-stuffing / session-hijacking combos. |
| RDP / VNC Brute-forcing | Credential lists purchased on criminal marketplace “Genesis” leveraged against exposed 3389/tcp & 5900/tcp endpoints. |
| Supply-Chain Propagation | One MSP suffered an intrusion at a vendor that pushed an updater signed with a stolen Authenticode cert, infecting downstream dozen clients. |
| Malicious Ads (SEO Poisoning) | Angus affiliate campaign #3 uses Q4 2024 Qakbot links seeded under fake AnyDesk download pages on Bing/Google ads. |

Remediation & Recovery Strategies:

1. Prevention

  1. Turn on Windows Controlled-Folder Access / macOS TCC for primary user drives.
  2. Patch immediately:
    • Veeam Backup & Replication → ≥ v12.3 (fixes CVE-2023-27532).
    • MOVEit → ≥ 2023.0.3; apply vendor hotfix 115.
    • Fortinet → ≥ FortiOS 7.4.0 or latest 7.0.x patch.
  3. Restrict lateral movement:
    • Disable SMBv1 globally via Group Policy.
    • Enforce MFA on all VPN and privileged RDP accounts.
    • Segment backup engineering workstations from production VLANs.
  4. Implement application whitelisting (Microsoft Defender ASR Rules + AppLocker / macOS spctl).
  5. Offline, immutable backups: Maintain immutable S3 Object-Locked, wasabi-Object-Lock, or WORM LTO-9 cartridges updated nightly.

2. Removal (Clean-up playbook)

Step 1: Isolate affected hosts (unplug NIC / disable Wi-Fi) to prevent further encryption and credential-harvesting.
Step 2: Boot into Safe-Mode with Networking so startup runners don’t execute.
Step 3: Use live-response tools (ESET SysRescue Live, Kaspersky Rescue Disk) to scan and delete:
• ScheduledTask: \AngusInstall (GUID varies, task XML path C:\Windows\System32\Tasks\AngusInstall)
• Registry persistency:
– HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VaultShell
– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate
• Autorun wrapper: %AppData%\Microsoft\Vault\SecureData.exe (signed but malicious), %APPDATA%\SysCache\cache.exe
Step 4: Remove collateral Qakbot keyloggers/backdoors dropped in C:\Users\Public\Libraries, “RefererCache” folder.
Step 5: Validate removal via PowerShell Get-WinEvent –LogName Security –FilterXPath "*[System[EventID=1]]" | select Message hunting for the .angus.exe imagenames.
Step 6: Reboot → full offline AV scan with Microsoft Defender “clean boot” signatures (KB5034523, 1.397.405.0+).

3. File Decryption & Recovery

  • Official decryptor availability: As of June 2025 (current date) there is NO working, public decryptor for the ChaCha20-Poly1305 key generation used by Angus. Do NOT trust “guaranteed Angus decryptor” scams.
  • Shadow Copies (VSS): The malware runs vssadmin delete shadows /all /quiet; post-removal check vssadmin list shadows—if older restore point with date prior to infection exists, restore via Windows RE → System Restore.
  • Volume-level rollback: If backups are encrypted, but VMWare snapshots or ZFS send/receive streams are outside encryption reach, roll back to last healthy state.
  • Backup integrity verifier: Script (PowerShell + Test-Path, MD5/SHA256 hash list = before/after) to bucket-check recently-restored critical files.

4. Other Critical Information

  • Unique Traits: Angus runs AES-256 in CBC mode to encrypt each file one-time, then encrypts that symmetric key with the attackers’ 4096-bit RSA key. The master RSA public key is hard-coded in the binary and often reused for several affiliates—so a future master private key leakage could enable universal decryptor (no leakage observed yet).
  • Exfiltration: Angus affiliates bundle a separate StrawberryLoader module which uses Rclone to siphon >100 file types (PDF, DOCX, DBF, PST) to an attacker Mega folder before encryption. Expect double-extortion tactics.
  • Kill-Switch Check: Older builds have command-line argument /noencrypt. Register monitoring or EDR agent rule process.command_line:“noencrypt” OR “–nokill” calls to catch early-stage testers.
  • Indicators of Compromise (IOCs):
    – SHA256 of main payload: 6ed43397b1834e3c22065a584eab70e3b6dfac2077fa7c4c3ac0bca2c306eec6 (on-disk binary signed “Innoventavo Ltd”).
    – C2 Domains (Tier 1): remotecritical.net, installedrrp.org, globalpubix.net.
    – Tor ransom portal: http://3q65f2ig7b…onion.
  • Insurance & Reporting: CISA, FBI and French ANSSI all request IOC uploads via https://ic3.gov and/or https://cert.ssi.gouv.fr. Sharing decryptor seeds will not restore your files but does help law-enforcement identify master private keys if they obtain them from takedowns.

Use this guide as a living document—update patch levels, IOCs and detection rules regularly. With solid offline backup hygiene, patching quickly, and vigilant user awareness, impacts of Angus remain manageable.