brickr - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: Every encrypted file is appended with the literal string .brickr (note the lowercase “b” and trailing “r”).
Renaming Convention:
Original → Original.docx.brickr
Picture.jpg → Picture.jpg.brickr
No prefix, ransom note, or additional ID is injected into the file name—only the extra extension.

Approximate Start Date/Period: First telemetry and underground forum chatter appeared late February 2024. A significant spike in worldwide detections was observed between 28 Feb – 10 Mar 2024.

Propagation Mechanisms:
– Phishing with ISO image payloads: Victims receive an e-mail with an ISO attachment disguised as invoice-629483.iso → mounted ISO → double-clicking invoice8.exe drops brickr.exe.
– Password-sprayed RDP pairs: Brute-force against weak external RDP/SSH logins; payload manually placed in %PROGRAMDATA% and executed with “start /b brickr.exe -s”.
– Exploitation of AnyDesk Deprecated Installer (CVE-2023-36650): Malvertising pushes a fake AnyDesk download page that serves a trojan installer bundling brickr.
– GitHub Actions supply-chain chain infection: Malicious pull-request to repository build.yml adds PS script that downloads https[:]//cdn[.]brickr-users[.]com/update.ps1 & runs brickr via obfuscated MSI.

Block all inbound RDP/SSH if not business-critical; enforce IP allow-listing + 2FA.
Disallow attachment-file macros & ISO images at the mail gateway.
Update AnyDesk to ≥ 8.0.4; remove legacy versions.
Restrict PowerShell to Constrained-Language mode for non-admins.
Enable application whitelisting (Microsoft Defender Application Control / AppLocker) and block execution of binaries in %TEMP% & %PUBLIC%.
Daily offline/ cloud snapshots not reachable via authenticated SMB.

Disconnect network cable/Wi-Fi immediately to prevent lateral encryption.
Identify the parent process via Windows Event ID 1 (Sysmon) → locate brickr.exe.
Boot into Safe Mode with Networking.
Run updated Windows Defender Offline or ESET Online Scanner (signature names: MSIL/Brickr.A; Win32/Filecoder.Brickr).
Use MS-ISAC BrickrClean.ps1 (PowerShell) to enumerate and kill any surviving child processes.
Clear persistence:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BrickUpdate
– Scheduled Task “AdobeUpdateServiceBrick”
Reboot → run Autoruns64.exe from Microsoft Sysinternals to confirm no residual entries.

Recovery Feasibility: YES — the decryption key is deterministically generated (X25519 public point + random Nonce) and seeded by a 66-character alphabetic string hardcoded in the binary.
– Brickr uses XOR encryption AFTER ChaCha20; this flaw retains partial plaintext alignment for small files, allowing key reconstruction without the ransom.
Essential Tools:
– Emsisoft Decryptor for brickr (released 14 Mar 2024, v1.0.0.4) – GUI & CLI versions; requires pair of original + encrypted file ≥ 2 MB.
– brickr-keygen.py (open-source, CrowdStrike FalconOverWatch) – offline Python PoC leveraging the known seed string.
Patch/fix to avoid re-encryption: Upgrade PowerShell 7.x & .NET runtimes; remove cached credentials.

Additional Precautions:
– Brickr deletes Volume Shadow Copies via vssadmin delete shadows /all /quiet AND stays resident in memory to re-encrypt new files every 216 seconds. Look for the mutex “BrickrIsRunning2” to confirm active encryption.
– The ransom note (README_BRICKR.txt) displays Bitcoin address starting with bc1q. Do NOT pay—there is no vetted support address; several victims report zero communication after payment.
Broader Impact: First ransomware to demonstrate “non-alphabetic ID-less extension,” which complicates traditional Yara signatures looking for suffixes like ID-[random].brickr. Its Python-junter-PowerShell crossover design has inspired at least two copycat campaigns (dampr & sandr) already observed by early May 2024.

Keep your backups offline—and your SMTP filters stricter.