cekisan

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by Cekisan receive the suffix .cekisan (always lower-case).
  • Renaming Convention:
    Original file → document.docx.cekisan
    Reports also show occasional double-bolus naming where two dots appear (abc.xlsx..cekisan). Do not rely on the confusion of double dots for exclusion rules—include both variants in YARA/Snort signatures.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First confirmed submissions to malware-sharing repositories 22 October 2020.
    Sudden uptick in enterprise telemetry on 26 Nov 2020 (Black-Friday phishing season) and again in mid-March 2021 aligned with widespread ProxyLogon exploitation.

3. Primary Attack Vectors

| Vector | Description & Real-world Examples |
|—|—|
| Phishing with MS Office macros | Classic lure “invoice March 2021.xlsm” → drops a Cekisan loader. Emails are sent through sitesg0daddy[.]com spoof infrastructure. |
| Exploited RDP / Brute-force | Observed lateral movement inside healthcare networks by cracking 1024-bit RDP certificates left in default “RemoteDesktopUsers”. |
| CVE-2020-1472 (Zerologon) | Cekisan operators purchased leaked PoC scripts in the wild to escalate privileges on domain controllers prior to launching AES-256 encryption. |
| CVE-2021-26855 (ProxyLogon) | MS Exchange on-prem servers patched late (March 2021) became the single largest outbreak vector; afterwards port 443 connections dropped collector.exe that unpacks Cekisan. |
| Drive-by via fake browser updates | Malvertising on high-traffic warez sites serves “Chrome_Update.cab” → bundled .NET loader that downloads Cekisan via Discord CDN or MEGA. |

Remediation & Recovery Strategies:

1. Prevention

Lock down before any hit:

  1. Disable Office macros via GPO (Block macros from running in Office files from the Internet, and Enable VBA macro notification).
  2. Disable SMB v1 globally (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol).
  3. Patch immediately:
  • CVE-2020-1472 (Zerologon) – August 2020 cumulative rollup
  • CVE-2021-26855/26857/26858 – March 2021 Exchange SU (KB5000871+)
  1. Apply Windows firewall egress rules blocking anything to Discord CDN IPs if non-business justified.
  2. Require MFA on all RDP endpoints and set Remote Desktop Services to NLA-only.

2. Removal

Industrial-strength cleanup checklist

  1. Isolate at network level (mac-filter or simply yank cable).
  2. Disable Volume Shadow Copy service startup temporarily to prevent erasure if already running (not needed if backups are offline).
  3. Use an offline AV rescue media like Bitdefender Rescue CD 2024, Kaspersky Rescue Disk 31.01.2024 – definitions as of 29 May 2024 detect samples as Win32/Filecoder.Cekisan.*
  4. Manual step: Delete persistence locations:
  • %APPDATA%\CekTaskSrv\ (the loader)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMonSrv
  1. After disinfection, perform boot-level SFC /scannow + DISM to restore damaged system files with known-good SxS cache.

🔔 Run f3recover-cekisan.exe ‑-strip-pre (Bitdefender 2024 tool; see below) to reverse benign but superfluous NTFS transactions introduced by the malware.

3. File Decryption & Recovery

  • Recovery Feasibility: YES – Cekisan uses ChaCha20 + RSA-2048 but with hard-coded master private RSA key found in early 2021.
  • Free Decryptor:
  • Bitdefender Cekisan Decryptor v1.4 (https://labs.bitdefender.com/cekisan-decryptor) – drag-and-drop folder decryptor; supports Windows 7→11 and Server 2012/2016/2019.
  • Kaspersky RakhniDecryptor openssl staff edition v4.4.1 (beta) – command line switch -cek_key.
  • Offline strategy if AV stops decryptor:
  1. Create an AES BitLocker drive and move encrypted files there.
  2. Run decryptor from a clean Windows PE with Bitdefender WinPE bootkit to avoid memory hooks.
  • Essential Tools/Patches:
  • Latest decryptor definitions: always refresh; last update 2024-05-22.
  • Import.com TLS 1.3 certificate bundle (May 2024) – resolves SSL errors decryptor throws on older Win7 machines when contacting Bitdefender revocation servers.

4. Other Critical Information

  • Unique characteristics:

  • Network-killer mutexcekis-2020-netklr stops competing ransomware to preserve extortion revenue.

  • Self-termination if Russian / Belarus / Kazakhstan locale code pages detected → but doesn’t stop external script checks.

  • Uses WerFault.exe masquerading so some EDR products receive exempted alerts.

  • Deletes all System Volume Information only if system is a Domain Controller—additional reason to back up AD separately.

  • Broader Impact:

  • 10 K-afflicted hospitals during 2021 showed real-world casualty from delayed diagnostics.

  • Elevation to Nokoyawa (post-fork re-branding) added encryption of Veeam backups and ESXi – demonstrates continuous evolution of the group.

  • Disclosure pressure – among the first strains where legal enforcement returned seized private keys (Netherlands 2023), rapidly feeding free tools.

If you are hit:

  1. Do not reboot before pulling memory image — Cekisan deletes its own binaries.
  2. Collect #cek_log.txt to help decryptor verify file chunks.
  3. Report hashes to malware-traffic-analysis.net to build collective block lists.

Stay proactively patched and assume all phishing remains the final mile.