banks

[Content by Gemini 2.5]

RANSOMWARE DOSSIER – File-Extension: “.banks”

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of extension: .banks (e.g., “invoice.docx.banks”)
    • Renaming convention: victim files keep their original name and original extension, then “.banks” is appended once.
    Example: Accounts.xlsxAccounts.xlsx.banks
    Note: directories are NOT renamed; only individual files.

  2. Detection & Outbreak Timeline
    • First public sightings: Second half of April 2024; major spike of infections reported around 2nd week of May 2024.
    • Attributed (currently) to a new branch of the MedusaLocker ransomware family – internally marked as “MedusaLocker v6 B-build”.

  3. Primary Attack Vectors
    Exploitation of exposed Remote Desktop Protocol (RDP) with weak/compromised credentials → hands-on-keyboard deployment after lateral movement.
    Social-engineering e-mails → links leading to .ISO or .IMG attachments containing a download-script (PowerShell) that pulls the payload from an anonymous file-share.
    • Exploitation of CVE-2023-22568 (AnyDesk privilege-escalation) to attain SYSTEM context before launching the encryptor.
    • Weaponised Microsoft Office macros/VBS evaluate only when opened; no browser-exploitation chain observed so far.

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention
    • Disable RDP on perimeter-facing systems or restrict to VPN-only access; enforce strong (≥ 12 chars) unique passwords + MFA.
    • Deploy Windows account lockout policy (5 failed logins = 30 min lockout).
    • Apply April–May 2024 cumulative Windows patches (especially KB5036892 and KB5036979) to close exploited channels.
    • Block all outbound SMB (TCP 445/139) at firewall; disable SMBv1 on every Windows host.
    • Email gateway: strip .IMG/.ISO attachments or require manual intervention to open.
    • EDR/AV signatures: detect MedusaLocker/Banks via rule “Ransom.Trojan.MedusaLocker” or generic detection ID Trojan-Ransom.Win32.MedusaLocker.banks.a released 13 May 2024.

  2. Removal (Step-by-Step)
    A. Isolate the infected host – yank Ethernet / disable Wi-Fi immediately.
    B. Reboot into Safe Mode with Networking (Windows) or single-user mode (Linux).
    C. Use a clean boot USB (Windows Defender Offline or Bitdefender Rescue CD) to scan.
    D. Run:

  3. Autoruns (from Microsoft Sysinternals) → check for persistence keys (Run, RunOnce, scheduled tasks referencing svchost.exe.medusa or banks.exe).

  4. Identify the main payload (commonly %APPDATA%\SystemPoint\banks.exe or %PROGRAMDATA%\Medusa\banks.exe) → delete.
    E. Clean shadow copies auto-deletion via: vssadmin delete shadows /all is executed by the ransomware; recreate Snapshot Store prior to imaging for forensics use.
    F. Push domain-wide GPO to update EDR and run full scan once network is back but segmented.

  5. File Decryption & Recovery
    No freely available decryptor at this time (June 2024). T1187 RSA-3072 + AES-256 implemented; public keys are stored on the operators’ infrastructure, private keys never stored locally.
    Options to recover:
    – Offline backups → restore from last known-good immutable copy or cloud with no-write API.
    – Volume-Shadow Copy is removed, but 3rd-party backup appliances (Veeam, Acronis, Nakivo) not using VSS may retain intact snapshots.
    – Professional negotiations: threat actors double-extort; paying does not guarantee deletion of exfiltrated data. EU GDPR fines often exceed ransom + subsequent breach disclosure adds reputational cost.
    Essential patches/tools for this strain:
    – Windows RDP patch KB5028177 (credSSP fix).
    – AnyDesk update to v7.2.3 or later (CVE-2023-22568 mitigated).
    – Deliver EDR signature set version 2024-05-20-001 and later.

  6. Other Critical Information
    • Unique traits:
    – Registry key HKCU\Software\Medusa populated with SetWallpaper=1 → changes desktop wallpaper to a red skull icon labelled “BANKS RANSOMWARE”.
    – Dropper writes shellcode (banks.mem) that is then manually mapped via ProcessHollowing into svchost.exe, making memory-based detection noisy for kernel drives.
    – SKIP LIST: files below 10 KB are NOT encrypted (faster spread), but infected encrypted if appended already.
    • Wider impact: used in recent attacks against mid-sized financial-service suppliers (W2024-05-SILVERFOREST campaign) and municipal health-clinics (dumped medical records to BreachForums within 72 h). Since Banks shares leak-site infrastructure with the MedusaLocker Ransomware-as-a-Service portal, future rotations to .bank or .bnks variants are anticipated.

End of dossier — please keep backups offline and test restore procedures routinely.