barrax

[Content by Gemini 2.5]

Barrax Ransomware Defense & Recovery Guide

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .barrax (always lower-case)
  • Renaming Convention:
  • Original file: Document.docx
  • After encryption: 6FE91234.barrax – a new 8-character hexadecimal name is assigned; original file names are not preserved.
  • Additionally, Barrax drops two ransom notes:
    • !README_ATG!.txt in every folder with encrypted content.
    • #_DEC-README-HTML.html to double-canvas victims via alternate access.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First extensively tracked mid-February 2023 during a spike in incident response engagements across U.S. healthcare and European manufacturing verticals.
  • April–June 2023 represents its most active wave; a second, larger surge began November 2023, peaking January 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing with RAR/ZIP attachments delivering malicious LNK + embedded MSI.
  2. Exploitation of exposed Remote Desktop Services using either purchased / stolen credentials or brute force against RDP (TCP/3389). A minor but persistent sub-vector is through ScreenConnect dashboards left un-patched (< 22.7).
  3. Known vulnerability chains:
    • ProxyNotShell (CVE-2022-41040 & CVE-2022-41082) if an on-prem Exchange server is present.
    • PaperCut MF/NG CVE-2023-27350 in AtG-themed campaigns.
    • AnyDesk/TeamViewer pre-authenticated backdoors planted in prior intrusions to open a reverse session, then drop Barrax’s MSI package.
  4. PsExec / WMI lateral movement once TS/RDP or GPO credentials are compromised, automatically pushing a scheduled task named CleanupAtG that launches the MSI with elevated rights.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Disable legacy Windows PowerShell versions ≥ 2 and enforce ConstrainedLanguageMode.
  • Apply Exchange On-Prem May-2023 Security Updates (incl. ProxyNotShell).
  • Block .lnk, .vbs, .js, and .hta attachments at the mail-gateway unless signed by internal IT.
  • Require multi-factor authentication on all external-facing RMM / RDP / VPN products; monitor for MFA-drilldown attacks that hijack existing sessions.
  • Publish RSAT-based GPO restricting service-creation rights to IT tiered accounts; limit PsExec executable to an allow-listed path.
  • Patch PaperCut, ConnectWise, and Zenith systems to latest 2024 releases.
  • Implement network segmentation: isolate domain-controllers, backups, OT/ICS, and Tier-0 administrative VLANs.
  • Encrypt credentials at rest – Barrax scrapes lsass.exe; protect via LSA Protection + Credential Guard.

2. Removal

  • Infection Cleanup:
  1. Take forensic image of at least one affected host before powering off; Barrax deletes shadow copies via vssadmin delete shadows /all /quiet and clears Windows Event Logs to hamper IR.
  2. Identify persistence artefacts (locate MSI/Payload under %ProgramFiles%\Font_cache_Suite\upd.msi or %APPDATA%\AtG\dllhost.exe).
  3. Boot from WinPE/Recovery USB → dismount all VSS writers → run Microsoft Defender Offline or Sophos Bootable ISO to remove kernel-level module Ntwfxsys32.dll.
  4. Delete Scheduled Tasks & Services:
    • schtasks /delete /f /tn "CleanupAtG"
    • sc stop AtGUpdater & sc delete AtGUpdater
  5. Reset local SAM passwords & force password-reset across the domain.
  6. Full disk re-image is recommended due to credential-stealing components and FTK raw filesystem deployment that persists in unused clusters.

3. File Decryption & Recovery

  • Recovery Feasibility: Barrax uses ChaCha20/ECDH public-key encryption with a unique key pair per victim; there is currently no free decryptor.
  • Check for data-recovery avenues before paying:
    • Verify backup snapshots in cloud storage outside the SMB domain (Barrax skips GCP S3 “Archive” tier).
    • Attempt file-carving via tools such as R-Studio or Photorec in case temporary unencrypted copies remain in Recycle Bin or VSC gaps.
    • Restore from volume-level backups with immutable retention (WORM or Object Lock – Barrax cannot reach S3 Object-Locked buckets).
  • Essential Tools/Patches for prevention & remediation:
  • Exchange March-2024 Security Update (KB5034123).
  • Microsoft Defender signature (Engine version 1.1.24030.4 or later) now detects component MlEngine:AtG/Barrax.A.
  • PaperCut ≥ 22.0.12 or Application Server 23.0.12.
  • CrowdStrike BIOS-Mode rescue ISO and Kaspersky Rescue Disk 2024 both flag Barrax’s boot record infection.

4. Other Critical Information

  • Unique Characteristics:
  • Custom wiper routine: If endpoint detects a SentinelOne or VMware Carbon Black sensor, barrax uninstalls the agent using leaked vendor uninstall tokens and overwrites ~0.3 % of each file with random bytes before full encryption – producing unrecoverable noise.
  • Targets “hot” endpoints: actively seeks mapped drives to cloud file-sync services such as OneDrive, Egnyte, and Box; augments encrypted blobs with WMF ransom-image desktop wallpaper.
  • Threat attribution indicators: opsec tags in ransom notes reference “ATG – Adversary Threat Group” (#_DEC-README-HTML.html drops screenshot of LiveLeak suggesting possible political hacktivist spin).
  • Broader Impact:
  • Over 425 confirmed incidents as published by CISA Alert (AA24-031A), with ** median downtime of 21.5 days ** for unprepared organizations.
  • One manufacturing client incurred > $3 M in IP loss when stolen CAD files were monetized on dark-web auction prior to encryption (active data-exfiltration is always running alongside Barrax encryption).
  • Class-action litigation: at least three U.S. healthcare providers are facing HIPAA violations tied to Barrax breaches, emphasizing the need for rapid containment within the first 4 hours.

Key Take-away: Treat Barrax not just as data encryption but as a hybrid extortion campaign. Combine proactive patching of high-impact CVEs, locked-down backup architecture, and segmented, credential-hardened administrative plane to tilt the cost-benefit decisively against the adversary.