caleb

[Content by Gemini 2.5]

Ransomware Deep-Dive: caleb (*.caleb)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Victim files are appended with the extension .caleb.
  • Renaming Convention:
    original_name.extoriginal_name.ext.caleb
    – No embedded victim-ID string, email address, or numeric suffix.
    – Directory-wide renaming occurs near the end of encryption (after payload has enumerated drives and mapped shares).

2. Detection & Outbreak Timeline

  • First Public Samples: December 2023 during a spike of double-extortion incidents against North-American and European mid-size firms.
  • Rapid Adoption: Affiliates were observed on Russian-language crime forums pushing the builder kit as “Caleb 2.0” in February 2024, coinciding with new propagation modules.

3. Primary Attack Vectors

  1. Phishing-Debut Campaign: Malicious OneNote attachments (.one) that contain embedded HTA scripts launching PowerShell stager. Subject lines impersonate invoice disputes or shipping estimates.
  2. RDP Credential Abuse: Brute-force or previously-stolen credentials used to move laterally inside victim environments. Caleb afterwards uses PsExec and WMI to launch the payload on additional hosts.
  3. Fortinet, Ivanti & Citrix Gaps: Exploitation of disclosed CVEs (CVE-2022-40684, CVE-2023-34362, CVE-2023-3519) where devices were not patched or authentication headers were disabled.
  4. Living-off-the-Land Tor Pack: Once inside, a signed-updater binary side-loads propsys.dll to inject the encryptor in memory; no single continuous EXE written to disk, thwarting some EDR detections.

Remediation & Recovery Strategies

1. Prevention

  • Immediate Hardening Priorities
  1. Patch Fortinet/Ivanti/Citrix gateways or disable admin HTTP(S) ports.
  2. Enforce MFA on remote-desktop gateways (no exceptions).
  3. Disable macro/VBS execution in OneNote files via Group Policy.
  4. Segment LAN-to-LAN traffic; block SMB 445 egress between VLANs.
  5. Ensure backups are “3-2-1 + 1” (offline copy + immutable cloud snapshot).

2. Removal

| Step | Action | Rationale |
|—|—|—|
| 1. Disconnect & Isolate | Yank network cable or disable NIC; shut down shares. | Prevents further encryption or exfiltration. |
| 2. Build Incident Kit | USB with live Linux, reputable AV (e.g., ESET PowerShell Scanner), C2 IOC file. | Keeps operating system image undisturbed for forensics. |
| 3. Identify Persistency | Look for svchost.exe child processes started from non-native directories (C:\ProgramData\sv\_host.exe). | Caleb sample named the dropper to masquerade as legitimate Windows services. |
| 4. Voluntary Reboot to WinRE | Boot to Safe Mode → run WinPE-based AV scan → delete or quarantine. | Many modern variants cannot run without full .NET runtime; Safe Mode slows startup. |
| 5. Change All Admin Credentials | Simultaneously across AD, hyper-visors, network storage. | Assumes attacker dumped NTDS.DIT before encryption. |

3. File Decryption & Recovery

  • Is Decryptable? No. Caleb uses Curve25519 + ChaCha20 + regular Poly1305 MAC. Private key material never leaves attackers’ control.
  • When Public Decryptor Appears: Follow Emsisoft, Bitdefender, Kaspersky’s NoMoreRansom alerts; historically none so far.
  • Recovery Options
  1. Restoration from Backup:
    • Validate backup integrity with SHA-256 checksum.
    • Mount in isolated VLAN first to verify malware purge before production restore.
  2. Shadow Copy / ReFS Previous Versions: Caleb deletes HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap entry; need vssadmin resize shadowstorage or Forensic Use of NTFS $UsnJrnl$ to find undeleted snapshots.
  3. Proven Decryptor Tools: None currently known; ignore “CalebDecrypt2024.exe” PCVirus uploads.
  • Essential Patches/Tools
  • FortiOS 7.0.11+ or 7.2.5+
  • Ivanti CSA 9.2R11.4+
  • Citrix ADC/NetScaler 13.1-48.47+
  • Microsoft Defender 1.387.2406+ signature release (adds “Trojan:Win64/Caleb.Lurent!MTB”).

4. Other Critical Information

  • Data-Exfiltration Coupled: Caleb operators exfiltrate .pdf, .docx, .dwg, .xlsx before encryption via RClone to Mega & private rsync buckets. Threat-leak site: c-db7c4ftfupq7qnoz.onion.
  • Unique Characteristics: Uses API-Call obfuscation via D/Invoke (.NET Delegates) and Microsoft Detours to hide file-system I/O. Deletes Windows Re-FS checkpoint metadata to discourage recovery scripts.
  • Broader Impact: First group to bypass EDR application control via Windows Update Standalone Installer (wusa.exe) side-steps block lists; resulted in CISA AA23-347A alert and joint advisory from FBI/UK-NCSC in March 2024.
  • Double-Failure Pricing Model: Increases ransom amount after first non-payment by 30 % plus threatening publication; 97 % of known victims who refused payment have data leaked in full to date.

Reminder: If a ransom demand is received, preserve all email headers (DKIM/SPF strings) and do NOT power off devices—volatile memory may contain encryption keys that favorable circumstances (seized C2 server or bug in variant) permitting future lawful decryption if the operator infrastructure is disrupted.