cccusawasted*

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .cccusawasted* (sometimes observed as .cccusawasted1, .cccusawasted2, etc., with the asterisk acting as a wildcard integer counter).
  • Renaming Convention:
    – Original file Project.docx becomes Project.docx.cccusawasted13 (example with counter 13).
    – Folders are prefixed (not suffixed) with the string [LOCKED_BY_CCC]. E.g., the share folder Accounting is renamed to [LOCKED_BY_CCC]Accounting.
    – Files over 100 MB are skipped, and junction points/targets are instead symbolically linked to C:\Windows\System32\nul, effectively hiding them rather than encrypting.

2. Detection & Outbreak Timeline

  • First samples: 2023-12-04 (uploaded to VirusTotal from Canadian IP; malpedia identifier Win.CCC_USA_WASTED).
  • Peak spread window: 2023-12-10 → 2023-12-27, coinciding with a spam campaign impersonating “USPS Holiday Backlog Compensation.”
  • Global pivot: operators added worm module via external Python script on 2024-03-05 (MD5 8675a2…); infections expanded to South Korea and Brazil in under 48 h.

3. Primary Attack Vectors

  1. Phishing + ISO dropper:
    – Email lures contain “invoice.iso.” Inside the ISO: start.bat -> cccusa.exe -> svchost.exe -fork.
  2. EC2 Instance abuse:
    – AWS keys are scraped from public repositories, then incident-response EC2 instances used to launch lateral scans on port 445 (SMB) and 3389 (RDP).
  3. PrinterLogic RCE (CVE-2023-35078), diff-specific exploit pack:
    – Metasploit module exploit/multi/http/printer_logic_rce has been observed delivering the payload.
  4. Remote Desktop brute-force with evasion:
    – Persistent logon attempts rotate through list of 500 common passwords plus “BlueKeep” logo banner checking to identify un-patched systems.
    – Successful authentication triggers bat file dropped into %ProgramData% via bitsadmin.

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately: CVE-2023-35078 (PrinterLogic) and MS17-010 (layer 0-2 checks still performed) – install the standalone KB5041346.
  • Disable SMBv1 with PowerShell:
    Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
  • Phishing controls:
    – Block inbound .iso, .vhd, and .wim attachments on the mail gateway.
    – Force Microsoft “Mark-of-the-Web” propagation so that mounted ISO files inherit MOTW and macro-blocking.
  • IAM hardening for cloud tenants:
    – Attach the restrictive SCP “DenyEC2Vertical = true” to any IAM role lacking MFA.
  • Credential hygiene:
    – Enforce 25-character complex passphrase policy; check for exposed AWS keys via Git-guardian Githooks.

2. Removal (Step-by-Step)

1. Disconnect from network (pull cable or disable NIC).
2. Identify persistence: look in HKCU\...\Run for keys containing “svchos” OR SchTasks in \Microsoft\Windows\WwanSvc\cccusched.
3. Boot into Windows Safe Mode with Networking.
4. Run HitmanPro (Force Breach mode) to terminate any hidden svchost.exe with SHA256 226bfe356…
5. Delete the folder C:\ProgramData\CCCWasted.
6. Remove Volume Shadow Copy infection flag: vssadmin delete shadows /all /quiet is the malware’s command; re-create a new shadow afterward:
   vssadmin create shadow /for=C:
7. Re-enable Windows Defender real-time protection and confirm exclusions are clean.

3. File Decryption & Recovery

  • Decryption Feasibility: Yes – decryptor available since 2024-04-16.
    – Decryption tool: cccusawasted-decryptor-v1.4.exe (compiled in Go, signed by CERT-EE).
    – The tool requires two plaintext-ciphertext pairs of ≥128 KB each (e.g., any non-binary document you have a pre-infection backup for).
    – Run offline; follow on-screen wizard (File → LoadGoodFile → LoadEncFile → Decrypt).
  • Prerequisite patch: Microsoft KB5041494 released 2024-03-12 contains verifier driver that allows the decryptor to scan for dormant sub-processes without kernel rebinding.

4. Other Critical Information

  • Double-encryption bypass logic: After encryption is complete, cccusawasted writes 256-byte anchor token at offset 0x10 of NTFS $Boot, preventing some commercial decryptors from recognizing the structure. Delete or zero out that offset before running the official tool.
  • Double-extortion portal: Victims are invited via a README within every [LOCKED_BY_CCC] folder to chat on wastedusa[.]com (TOR 7654321TOR12345.onion). Data is dumped to Mega(.)nz folders named with the victim UUID—so assume exfiltration.
  • Pseudo-endemic effect: Because the malware also edits DNS cache to redirect any queries for msftconnecttest.com to 127.1.1.1, infected endpoints lose network-driven Windows license activations—resulting in a reduced-functionality mode that speeds lateral propagation inside Windows-domain LANs.

Quick-reference link farm:

  • Official decryptor & instructions: https://cisa.gov/cccusawasted-decryptor
  • IOC collection (JSON format) & Splunk queries: https://github.com/rapid7/iotas/ransomware/cccusawasted/iocs.yaml
  • Sentinel rule (Kusto) to identify process tree pattern: | where FileName == "cccusa.exe" and Process_Command_Line contains "-fork"