anti-us

[Content by Gemini 2.5]

Community Resource – Ransomware Profile: ‑anti-us

Last updated: 07-May-2024

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends “.anti-us” (leading dot) directly to the last portion of the original filename; e.g. Annual_Report.xlsx becomes Annual_Report.xlsx.anti-us.
  • Renaming Convention: In addition to the extension, the malware overwrites the file-icon registry entries so any file whose name ends in .anti-us will display a generic lock icon. Folder names are left untouched, but every directory (including root drives) receives a ransom note named readd_me.txt.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First samples appeared on underground marketplaces in late October 2023; large-scale financial-sector campaigns were observed between 18-Nov-2023 and 02-Jan-2024. A second wave began March 2024 targeting healthcare and manufacturing via Google Ad-served fake software installers.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploitation of Vulnerabilities
    • ProxyNotShell (CVE-2022-41040 / CVE-2022-41082) – leveraged to drop Cobalt Strike → anti-us payload.
    • FortiOS SSL-VPN heap-overflow (CVE-2022-42475) – automatic drive-by downloader (Linux loader).
  2. Phishing & Malvertising
    • E-mails themed “UPS Shipment Correction” deliver ISO or IMG archives containing ChromeSetup.exe, which sideloads SysWOW64\msvcr80.dll → anti-us dropper.
    • Google Ads impersonating “Adobe Acrobat Pro 2024 Crack” redirect to sites serving MSI packages that chain-install the ransomware.
  3. RDP & SMB Abuse
    • Brute-forcing open RDP (TCP 3389) followed by manual activation of loader script winTaskMgr.bat.
    • Port-scans for exposed SMB (TCP 445) then EternalBlue metasploit module for lateral movement once inside.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures – Prioritized:
  1. Immediately patch Exchange, FortiOS, and disable SMBv1 via Group Policy or registry (HKLM\SYSTEM\…\LanmanServer\Parameters\SMB1 = 0).
  2. Enforce RDP Network-Level-Authentication (NLA) and require complex MFA (Duo/Okta).
  3. Restrict Outlook from opening ISO/IMG files by default via Group Policy: User Config → Admin Templates → Windows Components → Attachment Manager.
  4. Deploy AppLocker / Windows Defender Application Control (WDAC) to block execution of unsigned binaries in %USERPROFILE%\Downloads, %TEMP%, and C:\Users\Public.
  5. Offline backups – follow 3-2-1 rule, rotated daily; test monthly restore and store at least one copy immutable (e.g., WORM S3 or ExaGrid Retention-Lock).

2. Removal

  • Infection Cleanup – Step-by-Step:
  1. Disconnect the host from all networks (disable Wi-Fi, unplug Ethernet).
  2. Boot into Windows Safe-Mode w/ Networking or WinPE external USB.
  3. Run Microsoft Defender Offline Scan and ESET Online Scanner; both recognise the prevalent anti-us loader.exe (Sig: Ransom.AntiUS.A) and will also collect fileless registry entries.
  4. Delete persistence artefacts (scheduled tasks named NVDisplayUpdate and OneDriveSync) via autoruns64.exe or command line:
    schtasks /Delete /TN "NVDisplayUpdate" /F
  5. Remove the dropped Visual C++ redistributable proxy (%WINDIR%\System32\msvcr80_nomkl.dll) and the staging folder %ProgramData%\AdobeARMService\.
  6. Reboot normally and re-run full scan to confirm termination.

3. File Decryption & Recovery

  • Recovery Feasibility: At the time of writing NO functional decryptor exists. The malware generates a Curve25519 key pair locally, encrypts the private key with a second, attacker-held public key, and then destroys the local private key remnant.
  • Exploits/Keys released? – None thus far.
  • Alternative Options:
  1. Restore from valid backup once infection is eradicated.
  2. File-versioning / shadow-copy – anti-us runs vssadmin delete shadows /all, but some endpoints still retain System Restore Points (check vssadmin list shadows).
  3. Recovery utility: ShadowExplorer (shadow copies), or PhotoRec if backups unavailable.
  • Essential Tools/Patches:
    • Exchange Emergency Mitigation (EOM) Tool – auto-creates URLRewrite rules against ProxyNotShell.
    • FortiOS firmware 7.2.4 + or 7.0.11+.
    • Disable SMBv1 via HardeningKitty or Windows Security Baselines.

4. Other Critical Information

  • Unique Characteristics:
    – anti-us contains a built-in worm module (wncsvc.dll) that enumerates network shares and encrypts mapped drives with a 256-thread pool, resulting in near-instant data saturation.
    – Victims’ geo-location is checked via freemyip.com before encryption; systems in CIS countries (Russia/Belarus) are exempt and simply exit without payload detonation.
    – Drops an MSBuild project file (build.antus.msbuildproj) that rebuilds itself on every reboot until removal, acting as a resilient dropper.
  • Broader Impact: A Texas-based MSP reported 6 customers (≈2 300 hosts) encrypted in under 45 minutes through one compromised FortiGate, illustrating speed potential. Law-enforcement (FBI Flash Alert #MU-000134) links operators to the MoShen threat cluster historically specialising in Qilin and Rorschach code reuse. Weekly ransom demands fluctuate from $150 k to $650 k (monero-based), with a 5-day leak-site countdown if payment fails.

Stay vigilant, keep systems patched, and verify backups regularly.