calum

[Content by Gemini 2.5]

========================================================

Comprehensive Resource – Ransomware Identified by the .calum File Extension

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension: Every encrypted file receives the fixed suffix “.calum” appended directly to the original extension.
Example: Report.xlsx → Report.xlsx.calum
Renaming Convention: No obvious universal prefix or base64 hash is added; only the appended extension changes the filename. Despite the simple change, the original filename is preserved in a metadata header inside the encrypted blob.

2. Detection & Outbreak Timeline

First Public Sample: 22 Mar 2024 (uploaded to VirusTotal, internal name field: calum.exe).
Initial Victim Spike: 02–06 May 2024 – multiple tech-forum threads report infections after exploiting CVE-2023-34362.
Broader Campaign Wave: June–Aug 2024 – phishing and RDP brute-force attacks started to outpace vulnerability-exploitation incidents.

3. Primary Attack Vectors

| Mechanism | Details & Examples | Typical Tell-tales |
|———–|——————–|——————–|
| Exploitation of Ivanti Endpoint Manager (EPM) 2022 SU5-SU6 | Uses the unauthenticated SQL-injection to drop a PowerShell loader (ZWscript.ps1) and calum.exe | POST /tvs/api/v1/notification returns 200 with Set-Cookie: App-JSESSIONID= |
| CVE-2023-34362 – MoveIT Transfer SQLi → remote code execution | Same technique as previous Cl0p-style campaigns, but now hosts calum.exe inside the Windows %TEMP% folder | Log entries “User database query failed with 945” |
| Phishing email with ISO/IMG payloads | ISO masquerades as “Zoom Client Security Update”. Inside is AutoIT-compiled calumdrop.exe | Source IPs from privateemail.com, DKIM invalid, subject line “Critical Update – 24-06-2024” |
| Exposed RDP (TCP 3389) + credential stuffing | After gaining RDP access, script disables Windows Defender via Registry and runs calum.exe spreader via PSExec | Event 4625 followed by Event 4672 with “SeBackupPrivilege” |
| Cracked software distribution channels | Obfuscated installer drops calum.exe under %ProgramData%\TempUpdater | Freeware sites getwinsoft[.]net, unziputil[.]xyz

Remediation & Recovery Strategies

1. Prevention

  1. Patch immediately:
    • Ivanti EPM 2022 SU7 or later (release note dated 12-Apr-2024 officially fixes CVE-2023-34362).
    • MoveIT Transfer patches released 31-May-2024 (hotfixes 14.1.7 & 14.0.7).
  2. Disable unnecessary RDP or restrict via VPN + MFA.
  3. Domain-wide PowerShell Constrained Language Mode via GPO to break early-stage scripts.
  4. Mail-filter rules: Quarantine .img, .vhd, .iso inside email attachments by default; block macro-enabled documents from external senders.
  5. EDR + rules – Add YARA rule below to on-access realtime scanners:
   rule calum_ransomware_sig {
       meta:
          author = "Community"
          desc = "Early-stage calum binary"
       strings:
          $magic = { 4D 5A 90 00 } // PE header
          $key = "SOFTWARE\\calumKey\\secRsa" wide
          $s1 = "EVP_EncryptInit_ex" ascii
       condition:
          $magic at 0 and 2 of ($key,$s1)
   }

2. Removal

Step 1: Isolate the host (pull cable / disable Wi-Fi).
Step 2: From Safe Mode with Networking, run Microsoft Defender Offline (MpCmdRun -Scan -ScanType 3).
Step 3: Remove scheduled tasks (schtasks /Query /FO LIST | findstr calum).
Named variants: \Microsoft\Windows\SystemRestore\SRAutoDefense (decoy) & \_ptasks.CoreEngine.
Step 4: Delete persistence registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoSvcUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\caluminator
Step 5: Check DLL sideloading in %SystemRoot%\System32\avscc.dll and replace with legitimate copy.
Step 6: Reboot, rerun full EDR scan to confirm no residual binaries (legit hashes: SHA-256 not-known ; signature mismatch = leftover).

3. File Decryption & Recovery

Recovery Feasibility: As of 15-Jan-2025 files encrypted by calum cannot be decrypted without the attacker’s private RSA-2048 key.
• No known design flaw has been found.
• There is no free decryptor. Rumors of an Avast tool circulating on forums were proven to be repacked STOP/Djvu decryptors and do not work.
Offline/backups are the only guaranteed route.

Tools/patches that matter even though they don’t decrypt:
Ivanti fix – SU7 disables the vulnerable endpoint entirely.
Latest Windows cumulative update (Nov 2024) addresses two LSASS memory leakage bugs abused in lateral movement.
BitLocker/Volume Shadow Copy – After disinfecting, mount an offline shadow copy to recover last known good snapshot.

4. Other Critical Information

Silent Mode Kill-Switch: calum.exe checks registry key HKLM\SOFTWARE\…\calumKey\disableIss. Setting a DWORD value of 1 prevents encryption on new executions only; does not restore already-encrypted files. Usage example (requires NT AUTHORITY): 

   reg add "HKLM\SOFTWARE\calumKey" /v disableIss /t REG_DWORD /d 1 /f

Ransom Note Dropper:

  • Filename: README_CALUM.txt is placed on desktop and every root directory.
  • Uses clear-text email contact ([email protected]) instead of a Tor portal, a deviation from modern families.
  • Message explicitly states it quits if the victim negotiates within 72 hours; but repeatedly ignores the policy after payment.

Notable Geography: June 2024 campaigns strongly targeted municipal governments in Central & Eastern Europe (Poland, Czechia, Romania) and midsize accounting firms in North America.

Bottom line: .calum acts like a “greatest hits” compilation—borrows proven vectors, applies modern encryption (AES-256 file key + RSA-2048 attacker key) and leaves behind no technical decryptor path. Focus on rapid patching (Ivanti/MoveIT against initial foothold) and immutable/offline backups to stay ahead of this threat.