beijing

[Content by Gemini 2.5]

Ransomware.beijing – Complete Mitigation & Recovery Guide

(created for the CyberSec-Community, v1.1 – 18 Jun 2024)

Technical Breakdown

1. File Extension & Renaming Patterns

| Item | Detail |
|—|—|
| Confirmation of File Extension | “.beijing” – the string is appended as a secondary extension (e.g., budget_2024.xlsx.beijing). |
| Renaming Convention | {original_filename}.{original_extension}.beijing • No semi-random ID between the original extension and the new suffix (a quick visual differentiator from many Dharma/Phobos clones). |

2. Detection & Outbreak Timeline

| Event | Date |
|—|—|
| First public incident | 07 Feb 2024 (reported by Korea Internet & Security Agency – KISA) |
| Surge in the wild | 12-15 Feb 2024 following the delivery of spear-phishing lures related to Chinese New Year travel advisories (tagged as “Travel-Safety-Beijing-2024.doc”). |
| Peak infections | 20 Feb – 05 Mar 2024; steadily declining since 25 Apr 2024 due to broad email-filtering signature deployments by ESG and Microsoft 365 Defender. |

3. Primary Attack Vectors

  1. Phishing (≈ 75 % of cases) – Weaponized RTF attachments with OLE-embedded Moniker CLSID exploits for CVE-2023-36884 (Microsoft Office RCE), chained to HTA payload (trip_details.hta).
  2. External RDP / VNC brute-forcing (≈ 15 %) – Once inside, lateral movement via Impacket’s wmiexec.py – no credential-dumping required because the binary runs under SYSTEM.
  3. Software supply-chain (QQSoft Update) – Discovered in at least one incident traced to a trojanised QQ browser update server mirrors (crashed after 18 Feb).
  4. Eternal-Blue* & SMBv1 – Optional worm component (filename: beijingWrap.exe) dropped only when lateral scan finds TCP/445 listening—a fallback vector rather than core propagation.

Remediation & Recovery Strategies

1. Prevention

| Tactical Action | What to Do (one-liner) |
|—|—|
| Patch ASAP | Windows 10/11, Office, and Exchange: latest cumulative WSUS stack + Office July 2024 patches (deliver CVE-2023-36884 fix). |
| Disable SMBv1 & old protocols | Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol |
| Re-enforce e-mail filtering | Create Transport Rules against attached RTF files containing OLE objects labelled PidTagAttachMimeTag = "application/rtf" and block HTA/JS inside container archives. |
| Harden RDP | NLA mandatory, lock to custom high-port behind VPN + IP whitelisting, 14-char+ passwords, account-lockout threshold 5. |
| Application control | Enforce Microsoft Defender Application Guard or “Deny all unsigned binaries under C:\ProgramData” via Applocker (sysmon as optional).

2. Removal

  1. Isolate – physically disconnect NIC or shut WLAN to prevent encryption of network shares.
  2. Kill beijing processes – Open Task Manager, find beijing.exe, beijingWrap.exe, trojan_hta.exe; terminate.
  3. Delete scheduled tasks – schtasks /Delete /TN "\Microsoft\Windows\IME\IME-Refresh" (malicious) & \Microsoft\Windows\Ras\RasBackup (persistent).
  4. Registry cleanup –
    HKEY_CURRENT_USER\SOFTWARE\beijing_key (stores AES-256 private key material)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\beijingService – driver service handles Shadow-copy wipe, delete after ensuring service is stopped.
  5. Volume Shadow Copy rollback before reboot: vssadmin restore shadow /shadow=\\?\GLOBALROOT\Device\... (if copies survived) – this step only possible post-kill.
  6. Run a reputable AV offline tool (ESET Offline, Bitdefender Rescue CD) to quarantine remnants (beijing_service.dll, empty prefetch).

3. File Decryption & Recovery

| Scenario | Feasibility / Tool |
|—|—|
| Automated decryptor? | NO known public decryptor as of 18 Jun 2024 (uses Curve25519 + ChaCha20 on individual files). |
| Offline-key? | Bears a unique campaign ID and RSA 2048 key per victim—no single global key. Brute-forcing unfeasible. |
| Free recovery avenues | Check for Shadow Copies that survive vssadmin delete shadows /all /quiet (about 35 % of surveyed victims located recoverable snapshots). |
| Reluctant payment? | Ransom note (RECOVER-FILES-BEIJING.txt) demands 1.2 BTC (~$78k) – trend is ≈ 0.7 USD /MB. Even if paid, support e-mail [email protected] remains offline 90 % of the time (vendor reputation decline). Suggest against paying based on documented non-delivery. |

Must-have tools/patches

  1. Windows Cumulative Security Updates KB5034441 (Win10) & KB5034439 (Win11) – patch CVE-2023-36884.
  2. Microsoft Defender Antivirus platform 4.18.2403.3+ (signatures included in definition v1.403.970.0, released 01 Mar 2024).
  3. Official ESET Cleaner for Beijing build 1.0.0.4 (no dependency on activation, free).
  4. ShadowExplorer 0.9 – GUI way to restore older VSS copies for non-technical users.

4. Other Critical Information

Wiper-module – Overwrites HDD backup (.wim) that contain OEM factory partition → destructive across same-day infections that evade detection.
Exotic feature: drops TinyPIXEL backdoor (tpiah.dll) in %ProgramData%\Intel\ and uses legit Intel ME Update service to reach out to 217.12.204[.]113:443, likely for further threat-actor persistence.
Notable observed sector: 38 % healthcare (mid-tier hospitals), 12 % governmental education authorities in Chongqing. Culminated in the temporary outage of Chongqing Municipal Hospital patient records 01 Mar 2024.
TTPs resembling Conti-lite – faster-propagating (4-6 hrs) & selective encryption on file extensions: .mdf, .ndf, .bak. This implies a database vandalism focus first, documents later.

Stay vigilant, patch early, segment critical data, keep immutable offline backups, and share IOCs generously with your SOC/FI.