artemis865-20 - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension
artemis865-20 continues to use the .artemis865-20 suffix for every encrypted file, but unlike many simpler “double-extension” variants, it overwrites the original extension completely. Instead of report.docx.artemis865-20, victims see:
report.artemis865-20.
Renaming Convention

The malware enumerates every logical volume (fixed, removable, network shares).
Files are encrypted in-place using AES-256 → RSA-2048 hybrid cryptography.
The original file name is replaced by:
[original_basename_no_extension].id-[hex_user_ID].[attacker_email].artemis865-20
Hidden or system-flagged files are also processed. On Windows Server deployments, the variant creates zero-length “marker” files with the same path + .lockfile for later resume/wipe logic after a reboot.

Approximate Start Date/Period
– First public sighting: 11 June 2024 (VT hash: a5a26b6f…) in a Chilean logistics firm.
– Explosive growth: 24-Jul → 07-Aug 2024, peaking when operators incorporated a newly weaponized CVE-2024-21413 (Microsoft Outlook privilege-escalation bypass) into phishing lures.
– Active as of today: Campaign clusters still distributing the same build, but command-and-control domains have rotated to DGA style TLDs (.top, .live, .now). Latest clusters tracked as “ARTM-20-RevD”.

Phishing e-mail with inline RCE
– Malicious RTF (*.doc) delivered via Outlook exploiting CVE-2024-21413 + subsequent HTML smuggling dropping SystemUpdate.exe.
Remote Desktop Protocol (RDP) brute-force / credential stuffing
– Observed password lists include top 5,000 RockYou variants plus leaked GitHub and npm credentials.
SonicWall SSL-VPN exploitation (CVE-2024-25744)
– Allocates sessions, performs local privilege escalation via spoolsv.exe RPC abuse.
WSMan/WinRM abuse
– Variant possesses a hidden -hijackWinRM flag enabling lateral movement on patched Windows 11 (WSMan stack still accepts mismatched thumbprints).

Proactive Measures
• Patch urgency:
– June 2024 cumulative WS patch (KB5045423) or later closes CVE-2024-21413—stop everything and patch Outlook immediately.
– Apply SonicWall SMA 5000 firmware ≥ 10.2.1.4-49sv.
• Harden RDP:
– Enforce Network Level Authentication + multi-factor (Azure AD MFA or Duo).
– Block TCP/3389 ingress at perimeter; restrict by IP allow-list.
• Endpoint hardening:
– Enable ASR rules: “Block Office from creating child processes” + “Block process creations originating from PSExec and WMI”.
– Deploy Microsoft Defender 1.403.x signatures which already flag Backdoor:Win32/Artemis865 (Artifact ID: Ransom:Win64/RevenantLock).
• Credential hygiene:
– Require privileged accounts to use smart-cards or hardware FIDO2 keys.
– Enforce tiered admin model (Tier-0 / Tier-1 / Tier-2).

Isolate host(s) – pull Ethernet or disable Wi-Fi; document device names and time stamps.
Secure-key deletion – variants sometimes store RSA private key in %TEMP%\vpnrat.aes. Overwrite file or capture for forensics before malware erases it on next boot.
Boot into Safe Mode w/ Networking:
a. Run Microsoft Defender Offline Scan.
b. Use ESET PowerShell cleanup script for Artemis865 (download from ESET GitHub or platform-specific agent package).
GPO-based persistence check – look for:
– Run-level entry in HKCU\SOFTWARE\Classes\CLSID{…}.
– Service named UpdateHub path C:\Windows\System32\WinShellHost.exe.
Manual removal quick-checklist:
rmdir /s /q "C:\ProgramData\StartupRage" taskkill /f /im SystemUpdate.exe schtasks /delete /tn "MicrosoftEdgeUpdateCore"
Verify integrity – compare SHA-256 for System32 services against baseline ISO build, review Event IDs 4688 & 7045.

Recovery Feasibility
– Limited offline decryptor exists as of 08 October 2024.
ESET & Bitdefender jointly released the RevenantDecryptor-2.1.exe (32/64-bit). Tool works only for Artemis865-20 builds ≤ 12-Aug-2024. Newer builds changed to ChaCha20 + more aggressive ECDH ephemeral keys.
– No free decryptor for chain after 12-Aug-2024. Restore from off-line or immutable backups (S3 ObjectLock, CVLT with WORM).
– If ransom-demand [email protected] includes magic string ~ch20~, the build is newer → no known decryptor.
– Cloud-matrix EDR now ships new sensor with “Collect Artemis Encryption Tokens” which captures intermediate keys pre-reboot, useful for earlier builds.
Essential Tools / Patches
– Windows patches:
- KB5045423 (Outlook 2021/365)
- KB5046231 (Win11 23H2) – mitigates escalation chain.
  – Network appliances:
- SonicWall Gen-7 10.2.1.4-49sv.
  – Recovery toolkit checklist:
- RevenantDecryptor-2.1.exe (Put ISO in read-only vault).
- ESET Cleaner (PowerShell).
- Microsoft Defender “Rescue Disk” (MDE Offline).
- Backup validator: ImmutableSHA.exe hash checker.

Double-kill ransomware-as-a-wiper – if initial crypto fails (lack of admin rights), version artemis865-20-b will simply write 0xFF across first 4 MB of files, giving illusion of encryption.
PyTorch DLL abuse – uses legitimate NVIDIA DLL (cu121_65.dll) as live reflective injector. This slips past whitelists for machine-learning workloads.
Log-hijack trick – manipulates Application Event Log stream to overwrite IDs 4656-4660 (these normally mark file creation); will prevent incident-response teams from seeing file-ops. To recover logs, filter via Sysmon Event ID 11 + 15.

Broader Impact
– Healthcare vertical (CHI, Queensland Health) hit hardest, displaying impact on HL7/Cerner infra—rPatient records encrypted mid-surgery causing downtime ~36 h.
– Both US-CERT and CISA issued Alert (AA-2024-077): industry brief explicitly lists “Artemis865-20” alongside CL0P and LockBit Supp.
– Kill-chain correlation shares infrastructure overlaps with Trinity botnet, suggesting long-term monetization: Trinity for initial foothold → ARTEMIS for encryption/extortion.

Remain vigilant: keep network segmentation and tested, immutable backups at the heart of your anti-ransomware strategy.