cc-mrbeastransom - NTAPINSIGHT

Ransomware Advisory – cc-mrbeastransom (extension .MRCB)

Technical Breakdown

Confirmation of file extension: All affected files receive the double-suffix .MRCB
Example: Annual_Budget.xlsx.MRCB
Renaming convention:

Original name is kept in full (no base-64, ID, or email tags).
Only the extension is appended; no in-between strings or timestamps were observed.
In alternate variants that also plant the README-dropped copies, there is a secondary rename pass for shadow copies (*._MRCB_SHADOW).

First public sightings: 02 Dec 2023 (MalShare hash 5b389a2fc9…).
Wider distribution: Ran in two waves – Christmas holidays 2023 and early March 2024 – targeting English-speaking orgs (US/UK/AU) and Indian-continent MSPs.
Detection milestones:
07-Dec-2023 – first SentinelOne behavioural rule hit.
10-Jan-2024 – CISA/FBI reported on AA-24-015A.
20-Mar-2024 – Trend Micro detailed the Python dropper 🐍.

Phishing kits on Google Ads with fake software updates (mostly fake “OBS Studio” or “GoPro Webcam”).
Exploitation of public-facing ESXi (CVE-2021-21974) weak/vanilla creds – then lateral SMB via eternal-patched (but not always reboot-patched) Windows hosts.
Compromised MSP RMM tools/ScreenConnect (but not JumpCloud in public cases).

Privilege escalation: Token duplication + UAC bypass via fodhelper.exe registry key manipulation.
Persistence:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MRSync pointing at %APPDATA%\MRSync\MRRunner.exe
Scheduled task “MRBackupCleanup” running every 35 min.

Propagation: Scripted psexec or wmic enumeration of C-class networks to drop the same EXE.

Disable SMBv1 across all estate (via GPO Update).
Patch ESXi and remove ESXi Shell after validation.
Inbound RDP only via VPN + MFA; disable “Network Level Authentication” exception.
EDR/NGAV tuning: create explicit deny-rule for any EXE dropping .MRCB or creating HKCU\...\MRSync.
Train employees to reject digitally unsigned but ad-delivered software; enforce AppLocker allow-listing.

Step-by-step:

Isolate the host from network (ethernet pull or guest VM disconnect).
Boot from Linux live-USB or enter Safe Mode w/ Networking to stop MRRunner.exe from respawning.
Identify & kill processes: wmic process where name='MRRunner.exe' call terminate
Remove:

Delete registry autostart via reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v MRSync /f.

Current decryption feasibility:
• NO – ChaCha20+ECDSA is used; private key remains server-side and ECDSA secp256k1 key exchange is not vulnerable to shared-prime or RNG flaws.
Data-recovery paths:

Check Volume Shadow Copies not purged (variant 1 mistakenly skips SYSBACKUP).
Pull Veeam / BackupExec tapes disconnected at the time of attack.
Evaluate file-carver recovery for non-overwritten NTFS clusters (works for small Office docs; success <10 %).

Patch & tool list:
VMware patch: ESXi 7.0 U3m – build 21424296+ / ESXi 8.0 d – build 21497679+.
LockBitDec.exe or any older CryptoLocker decryptors WILL NOT work on .MRCB. Executing them wastes time.

Unique characteristics:
• Pure Python dropper wrapped with Nuitka → most AV heuristics first look for PyInstaller, this fools low-tier AVs.
• Delivers both Linux and Windows ELF/PE payloads from single “phoned home” URL list – unified C2 infrastructure.
• Victim ID in ransom note is not the extension; it’s 16 random hex bytes stored at offset 0xC8 in encrypted file header.
Broader impact:
• Corrupted ESXi thick-provisioned VMs make backups impossible to resume; expect 4-day rebuild from bare metal.
• Attackers threaten “data sale/eBay lot style auctions” on Telegram channel @MRCB_Auction – whether carried out remains anecdotal.
• MITRE ATT&CK Technique mapping: T1566.001 → T1055.012 → T1486 → T1490.

Patch ESXi / disable SMBv1 / harden RDP MFA.
Immediately quarantine affected systems and purge MRSync artefacts.
Do NOT pay – decryption guaranteed unavailable at this time; restore from clean backups or shadow copies.

Stay safe and keep those offline backups detached!