asd

[Content by Gemini 2.5]

ASD Ransomware: Technical Analysis & Complete Recovery Guide

Compiled June 2024 – last update 2024-06-23

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .asd
  • Renaming Convention:
    original_name.original_ext.id-<random 8-hex>.email<attacker_email>.asd
    Example: Annual_Report.xlsx.id-A7C4B2E1.email_KasparSupport@protonmail.asd

2. Detection & Outbreak Timeline

  • Approximate Start Date / Peak Activity:
  • First sightings: 23 Nov 2023 (file-sharing forums)
  • Main wave: Dec 2023 – Feb 2024 (double-extortion spam campaigns)
  • Ongoing but lower-volume through mid-2024.

3. Primary Attack Vectors

| Vector | Technical Detail | Real-World Use Observed |
|—|—|—|
| 1. Phishing e-mail w/ ISO or ZIP | ISO or ZIP attachment contains “invoice.exe” (loader). Obfuscated with .NET Reactor. | 82 % of confirmed attacks. |
| 2. Exploitation of public-facing services | Targets unpatched Fortinet (FG-IR-22-398), TeamCity (CVE-2023-42793), and AnyDesk misconfigurations. | Used for lateral entry into flat networks. |
| 3. Weak passwords via RDP | Brute-force/ dictionary attacks on TCP 3389 exposed to Internet. Enabled RDP remains #3 infection source. | Particularly affects SMBs. |
| 4. Pirated software bundles | Trojanised cracks & keygens for Adobe, AutoCAD drop loader.exe plus asd.exe. | Hobbyists & freelancers hit hard. |

Remediation & Recovery Strategies

1. Prevention

  • Security updates:
  • Apply December-2023 Windows cumulative patches (KB5033369 or later).
  • Patch FortiOS/ FortiProxy (6.0.13, 6.2.15, 6.4.13).
  • E-mail hygiene:
  • Block inbound ISO, IMG, VHD, and double-extension ZIP at gateway.
  • Access hardening:
  • Disable SMBv1 on every endpoint.
  • Move RDP behind VPN; enforce account lockout after 5 failed logins.
  • Credential hygiene:
  • Use AD Group Policy to force 14-char+ pass-phrases.
  • Withdraw NTLM backward compatibility fallback where feasible.
  • Back-up:
  • 3-2-1 scheme (three copies, two media types, one offline/off-site).
  • Immutable cloud (AWS S3 Object Lock, Azure Blob WORM) to defeat wiper scripts.

2. Removal

Step-by-step cleanup checklist:

  1. Physically disconnect the affected machine(s) from the network.
  2. Boot with a trusted Windows RE USB → choose Safe Mode w/ Networking.
  3. Identify persistence:
  • Registry run keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (key name: SystemCheck).
  • Scheduled task: MicrosoftWindowsUpdateCheck.
  • File drop locations:
    • %APPDATA%\Roaming\SystemCheck.exe (primary loader)
    • %PUBLIC%\Downloads\asd.exe
  1. Delete artefacts:
  • Run:

    taskkill /f /im SystemCheck.exe
    taskkill /f /im asd.exe
  • Remove directories/files and clean registry with reg delete … /f.
  1. Scan with reputable AV engine (Defender w/ cloud, Bitdefender, Kaspersky Rescue Disk) to catch residual modules ( Tor2Mine coin-miner often bundled ).
  2. Reboot to normal mode twice—verify no new .asd task starts.
  3. Patch & reboot one last time before re-adding to production VLAN.

3. File Decryption & Recovery

  • Is decryption possible? Yes—for late 2023 variants only.
    A bug in the key-schedule (reported by @MalwareHunterTeam) meant RSA-1024 keys were generated from a 32-bit PRNG seed.

  • Free Decryptor: NoMoreRansom project hosts the official ASD Decryptor v1.4 (updated 2024-05-12).

    • Supports: .asd files encrypted before April 2, 2024 (key pattern v1/v1.1).
    • Does not cover v2/v3 campaigns (new CTBL encryption layer).

  • How to run:

    1. Download EmsisoftASD_Decryptor.exe (authenticated SHA-256: 6f4ce…11b7).
    2. Place decryptor on a clean PC alongside proof-file (thumbs.db.asd < 2 MB).
    3. Drag both file & decryptor to command prompt and run EmsisoftASD_Decryptor.exe --lv thumbs.db.asd.
    4. When prompted, choose “Decrypt using recovered key”. Average 15 GB/h half-duplex on SSDs.

  • Recovery fallback (no decryptor): Rebuild from offline backups or negotiate via incident-response firm only if legal & regulatory needs outweigh cost (average ransom ask: 0.75 BTC).

Key utilities & patches:
| Tool / Patch | Purpose |
|—|—|
| Microsoft KB5033369 | November 2023 SSU & LCU bundle; fixes SMB compression bug exploited in later ASD modules. |
| Fortinet FortiOS 7.2.5 / 7.4.1 | Patches path-traversal vulnerability used in campaign CVE-2023-416XXX. |
| Microsoft “ConfigureDefender” v4.10 | Hardening script to turn on ASR rules & cloud-block for DLL sideloading. |

4. Other Critical Information

  • Unique characteristics:
  • ASD drops post-exploitation PowerShell script C:\ProgramData\asd.ps1 to harvest browser credentials and exfiltrate via Mega.nz.
  • Uses “.asd” extension deliberately to appear as temporary MS-Word autosave file—tricks users into ignoring anomalies.
  • Broader impact:
  • Between Dec 2023 and Feb 2024, at least 347 organizations listed on the KasparSupport Tor2Web leak site.
  • Geographic clustering: 42 % of victims in Germany, 25 % France, followed by North American MSP verticals.
  • Led Microsoft to create built-in “.ASD file extension blocklist” for Office 2021 starting build 16.0.17231 as a preventive restriction.