carver

[Content by Gemini 2.5]

Technical Breakdown: Carver Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Carver appends “.carver” in lowercase to every encrypted file. For example, QuarterlyFinance.xlsx becomes QuarterlyFinance.xlsx.carver.

  • Renaming Convention:
    The ransomware keeps the original file name and path intact. No random prefixes, base-64 strings, or internal ID’s are inserted; the sole modification is the extra four characters appended after the final period.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    The first public sightings of .carver encrypted machines were in late August 2022, with a notable spike during September-October 2022 when more distribution channels came online. Activity has continued in waves (tracker names: “wave 2” in January 2023 and “wave 2.5” in May 2023).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. E-mail Phishing with ISO & CHM payloads – small (< 1 MB) ISO or CHM attachments launch PowerShell droppers when users click once to open (double-click on Windows 10+ auto-mounts the ISO).
  2. Microsoft SQL Server Exploits – known use of xp_cmdshell on boxes exposed to Internet (ports 1433 / 1434) where weak or default sa passwords exist.
  3. Remote Desktop Protocol (RDP) Brute-Force – leverages leaked credential lists; lateral movement once a single hop is compromised.
  4. Drive-by Download via Fake Software Updates – Malicious search-result ads for VLC, Microsoft Office, or GPU drivers push NSIS installers that sideload the Carver encryptor.
  5. Accessible GoAnywhere MFT and Fortinet SSL VPNS – exploitation of unpatched CVE-2023-0669 and CVE-2022-42475 respectively to drop the initial loader into %TEMP%\wudp.exe.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures:
    • Patch Windows and SQL servers; disable xp_cmdshell (EXEC sp_configure 'xp_cmdshell', 0).
    • Block outbound NTLM over HTTP (MITM risk) and enable RDP NLA + MFA.
    • Restrict macro execution across Office, CHM, and ISO files via Group Policy and the “Mark-of-the-Web” bypass settings.
    • Implement network segmentation so database servers cannot directly reach user workstations.
    • Maintain offline, password-protected backups with immutable storage (object-lock S3, tape, Wasabi bucket-backup).
    • Use EDR or Windows Defender ASR rules: Block executable files from running unless they meet a prevalence, age, or trusted list criterion and Block persistence through WMI event subscription.

2. Removal

  • Infection Cleanup:
  1. Isolate – immediately disable NIC or cut network/vport on the hypervisor.
  2. Itemize – list IOCs:
    • registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\udpsdw
    • scheduled task: UpdateCheck (triggers %APPDATA%\udpsdw.exe)
    • dropped copy: %APPDATA%\udpsdw.exe (SHA-256: 46b9…b8af)
  3. Boot into Safe Mode with Command Prompt and run Windows Defender Offline scan or a reputable AV boot kit (Avira, Bitdefender).
  4. Delete scheduled tasks and registry entries above; use autoruns.exe (Sysinternals) to confirm.
  5. Patch or re-image affected machines (because Carver also drops Cobalt-Strike beacon for follow-on activity).

3. File Decryption & Recovery

  • Recovery Feasibility:
    Decryption is currently impossible without paying the attackers, because Carver uses ChaCha20 + RSA-2040 hybrid encryption and generates unique host keys on a secure server (no offline private key is stored locally).
    No public decryptor exists for the .carver key-on-demand scheme as of June 2024.
    • Once an offline backup or volume shadow has been wiped (vssadmin delete shadows /all), only the attacker’s private key can unlock data.

  • Essential Tools/Patches:

  • Tool/Script: ShadowCopy scanner (check for surviving snapshot copies).

  • Tool: ElcomSoft Proactive Password Auditor to gauge SQL password strength proactively.

  • Patches: MS-SQL KB5021125, Fortinet FortiOS 7.0.10, Windows February 2023 cumulative update (SMB Client-Server hardening).

  • Backup verification: use robocopy /MIR with /FFT /ia:.carver to compare against a clean set and weed out corrupt or double-encrypted files.

4. Other Critical Information

  • Unique Characteristics:

  • Double-extortion: before encryption, Carver exfiltrates screenshots, SQL backups, and Git repos via rclone.exe aliased to look like svchost.exe. Threat actors now leak a “carver-pw” Tor-hidden pastebin listing non-payers.

  • Kernel-abuse with BYOVD: in wave 2.5 the dropper installs WinRing0x64.sys to disable EDR and block process-kill alerts.

  • Checksum map left behind: %PUBLIC%\readme.html contains encrypted checksums in base-64, not readable but helping investigators fingerprint the host key.

  • Broader Impact:
    Carver’s operators have targeted mid-size MSPs hosting small- to mid-size businesses. Publicized breach at one MSP in October 2022 affected 200 downstream clients (dental offices and car dealerships), amplifying the collateral damage and flooding local incident-response teams with cases simultaneously. Recovery costs for a typical 50-seat office have averaged US $110 k (Coveware incident report Q4-2022).

Stay safe – maintain robust backups, keep patches current, and train users to think twice before double-clicking mystery attachments.