Antihacker2017 Ransomware – Community Resource

Threat Profile and Recovery Playbook

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of File Extension:
  .antihacker2017

• Renaming Convention:

1. Preservation of original file name before the new extension, e.g.,
   • Annual-Report.pdf → Annual-Report.pdf.antihacker2017
2. No observable prepended strings or hashes added—keep original character set intact.

2. Detection & Outbreak Timeline

• Approximate Start Date/Period:
  First samples seen in VirusTotal late April 2017; sharp uptick detections in May–June 2017. Main wave subsided July 2017, yet sporadic sightings persist in cracked-software bundles and shady forums.

3. Primary Attack Vectors

• Propagation Mechanisms:

1. Cracked Software Bundles – Torrents, grey-market activators for Office/Photoshop frequently carry the dropper.
2. Malicious E-mail Attachments (“invoice-guy.exe”) – Uses macro-less ZIP/SFX executables disguised as PDFs.
3. Remote Desktop Protocol (RDP) Brute-Force – Exploits VT-x for lateral spread, escalates to SYSTEM, then encryption.
4. Inter-Folder AutoStart (Script “XXX.bat”) – Adds autorun keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).

Remediation & Recovery Strategies

1. Prevention

• Disable RDP if not required; enforce Network Level Authentication (NLA).
• Segment admin shares (ADMIN$, C$\IPC$).
• Establish 3-2-1 backups (3 copies, 2 different media, 1 off-line/air-gapped).
• Enable Windows Defender ASR (Attack Surface Reduction) rule: Block credential stealing from LSASS.
• Patch every remote vector (see Essential tools below).

2. Removal – Step-by-Step

1. Physically disconnect from the network.
2. Boot into Safe Mode with Networking (for driver updates later).
3. Identify malicious processes ending in %TEMP%\puxxx.exe or initbckxxx.exe. Kill via Task Manager
or taskkill /f /im.
4. Delete autorun registry entries:

   reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v antihkr2017 /f

5. Run ESET Online Scanner or Bitdefender Antimalware to purge artefacts, service DLLs (RaaSdrv.dll).
6. Rebuild Windows Recovery Environment to prevent ransomware re-hide.

   reagentc /disable
   reagentc /enable

3. File Decryption & Recovery

• Recovery Feasibility:
  Decryptable, time-boxed. Kaspersky added the XOR/AES key to its RannohDecryptor on 1 July 2017.

• How to decrypt:

1. Download RannohDecryptor.exe (latest build ≥ v1.12.3.4).
2. Move at least one original file + its .antihacker2017 encrypted twin onto a clean VM or secure workstation.
3. Launch the tool → browse for the pair → “Start Scan”.
4. Tool verifies key → applies to entire volume. Average 200 GB disk ≈ 2–4 h.

• If offline key missing:
  • Check if volume shadow copies (VSS) still exist:
  
vssadmin list shadows

  • Restore files via ShadowExplorer; standard Windows restore point interface may be neutered but shadow data remains.

4. Other Critical Information

• Distinctive Behaviors:

• Terminates Windows Defender via MpSvc.dll tamper.

• Disables Windows Update Service (wuauserv) and Windows Firewall Policy to prolong persistence.

• Leaves a trivial note: Antihacker2017.txt inside every drive’s root, containing generic Bitcoin wallet (does not provide public-key data—confirms decryption via local key).

• Wider Impact:
  Ranked low-severity because decryption is publicly available; however, crypto-minor BGP hijacks (June 2017) compounded attribution confusion, falsely legitimizing ransom notes that ask for double the original BTC towards a now known exchange address.

—

Essential Tool & Patch Bundle

• Patch KB4019264 (MS17-010 – EternalBlue)
• Microsoft 3199709 RDP CredSSP patch
• Kaspersky: RannohDecryptor.exe – standalone zip (sig 2024-05-27-01)
• Sysinternals: Autoruns 14.30 (verify persistence), ProcDump (dump suspect services)
• 7-Zip AES-256 portable – safely exfil encrypted files for off-site decryption

Stay cautious, keep those backups offline, and validate with YARA rule Antihacker2017.yara available in the community Git repository.