chaddad

[Content by Gemini 2.5]

Comprehensive Resource on the Chaddad Ransomware (.chaddad extension)

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .chaddad (all lower-case, no leading dot is left after the original extension; the original extension is replaced rather than appended, e.g., Financial-Q3.xlsx → Financial-Q3.chaddad)
  • Renaming Convention:
  • File name itself remains unchanged → only the final extension is substituted.
  • Folders that contain encrypted files receive a plain-text ransom note: HOW-TO-DECRYPT.txt.
    – If Windows’ “Hide extensions” is enabled in Explorer, victims visually see the original icon flash quickly to a blank page since .chaddad is an unknown extension.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to public malware repositories and ID-Ransomware occurred in mid-April 2023 (~15-21 Apr 2023). Smaller waves were observed in June and August 2023, with a sharp uptick during early September 2023 coinciding with large-scale RDP phishing campaigns.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-force and credential-stuffing: Default/weak admin passwords, reused credentials from previous breaches.
  2. Phishing e-mails with ISO or ZIP attachments: Lures purport to be “shipping invoice” or “HR complaint”; ISO contains a hidden .lnk that launches rundll32 seed.dll (initial Chaddad loader).
  3. Exploitation of unpatched public-facing services:
    • Log4Shell (CVE-2021-44228) on Apache Struts / Solr servers.
    • ProxyLogon/ProxyShell (CVE-2021-26855, 26857, 26858) on on-prem Microsoft Exchange.
  4. Software supply-chain & cracked/pirated tools: Fake KMS activators and “keygen” sites seeded with the loader.
  5. Lateral movement via SMB/PSExec (EternalBlue-type exploits are not used; instead, it lives off the land with built-in Windows tools).

Remediation & Recovery Strategies:

1. Prevention

  • Keep public-facing RDP servers behind a VPN or zero-trust gateway; enforce lockout and IP reputation rules.
  • Patch priority queue (within 24 h of patch release):
    – Exchange (ProxyLogon, ProxyShell).
    – Apache Log4j2 components.
    – Remote Desktop Gateway (if used).
  • Block ISO/IMG and enable Windows Defender SmartScreen for all Office macros; GPO to disallow auto-mount of ISO files.
  • Multi-factor authentication (MFA) on all administrative logins (local, RDP, VPN, SaaS).
  • Application whitelisting via Microsoft Defender ASR rules or AppLocker – strongly blocks rundll32, regsvr32, wscript, or macros spawning cmd/powershell.
  • Offline backups regularly tested: 3-2-1 rule, immutable cloud buckets (object-lock), VLAN segments with one-way replication.

2. Removal

  1. Immediately isolate host(s) – disable NIC or physically unplug.
  2. Collect a full disk-image or triage forensics before sanitizing if legal/PR obligations require root-cause proof.
  3. Boot into Windows Safe Mode with Networking Off (or bootable AV rescue disk) to prevent malware reinstatement.
  4. Delete persistence items:
    Registry: 
   HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
   HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
   ← Look for pointer to `%WINDIR%\System32\seed.dll` or random-named `.exe`

Scheduled Tasks or Services: common names SysUpdate, TaskService, mgmtsvc.

  1. Run full offline anti-malware sweeps (Microsoft Defender Offline, ESET Rescue Disk).
  2. For complete certainty: wipe and reinstall OS+apps on new, clean media; restore data from verified backup after assurance that no live Chaddad binaries persist.

3. File Decryption & Recovery

  • Recovery Feasibility: As of November 2023, no free public decryptor exists. Chaddad uses ChaCha20 symmetric encryption with RSA-2048 key wrapping, keys stored only on the threat actors’ side after exfiltration to a Tor hidden service (2gzyxa5mlmethgoj2jee7fjbrloev7vve3u54moylm3ef62u5vzf3xyd.onion).
  • Official Recommendations:
    – Check periodically on the No More Ransom project (https://www.nomoreransom.org) for new releases (bookmark and search .chaddad).
    – Use file-recovery tools (Recuva, PhotoRec) to salvage originally deleted shadow copies only if the ransomware did not run vssadmin delete shadows /all (which it usually does). Success rate is under 3 %.
  • Essential Tools/Patches:
    – Cumulative Windows patches as of 2023-07B or later.
    – MS Defender & Defender for Endpoint KB5029359 & newer for network detection signatures “Chaddad!rfn”.
    – Exchange March 2023 SU and Apache Log4j 2.17.1.

4. Other Critical Information

  • Unique Characteristics:
    – Chaddad performs double-extortion: not only encrypts but steals data to a Mega.nz or Strato-Cloud share before encryption completes.
    – It terminates SQL/Exchange services (sqlservr.exe, msexchangesa.exe; likely to ensure file consistency before encryption).
    – Unlike many REvil forks, it does not append user IDs to filenames, which creates confusion for matching ransom answers to victims.
  • Broader Impact & Notable Incidents:
    – Focused targeting on mid-size Western manufacturing and IT service firms that outsource RDP to 3rd-party MSPs.
    – Estimated USD 2.7 M extorted in the first three months, based on Chainalysis public ledger tracking.
    – An affiliate was arrested in Morocco in Oct-2023 tied to the August wave; however, the core builder/sale-as-a-service remains active.

Stay alert – keep backups immutable, and validate them. If you have any artifacts (ransom-note hash or malware sample) not found on VT, share them (safe channels) with the community so detection can evolve faster than the adversary.