charck

[Content by Gemini 2.5]

Below is end-to-end intelligence on the ransomware that appends “.charck” to every encrypted file.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact File Extension: .charck
  • Renaming Convention:
    • EICAR test.txt → EICAR test.txt.charck
    • report.xlsx → report.xlsx.charck
    (No other prefixes, suffixes, or email addresses are placed in the file name—a hallmark of the Stop/Djvu family, of which Charck is a late-2019 variant.)

2. Detection & Outbreak Timeline

  • First Observed: Campaigns spreading “.charck” first appeared on 8 July 2019 (Hive-IOCs submitted 09-Jul-2019 01:07 UTC). Peak activity occurred throughout July–August 2019, with continued low-volume infections into 2020 via “crack” and “keygen” bundles.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Software Bundles: Masquerades as keygens/cracks for Adobe Photoshop, Ableton, Microsoft Office, and video-game mods (distributed through ad-powered blogs, torrents, Discord, and YouTube download links).
  2. Exploit Kit rotation: At time of release leveraged RIG EK (Flash CVE-2018-15982) for limited web-based drops.
  3. Social Engineering: E-mails with ZIP attachments (Ticket_<number>.zip → .exe) containing the Charck loader.
  4. No worming modules—infection is always user-assisted (manual execution or script launch).

Remediation & Recovery Strategies

1. Prevention

• Block “.charck” signatures at the perimeter (Emsisoft, Bitdefender, Sophos).
• Disable macro execution AND enforce the MS Office block of “Mark of the Web” macros.
• Remove local-admin rights from daily-use accounts.
• Patch Windows Installers and script hosts—many variants originate via Windows Installer execution (msiexec /i setup.msi /q).
• Application whitelisting or Windows Defender Application Control (WDAC) stops unsigned keygens/cracks.

2. Removal

  1. Disconnect the machine from the network immediately.
  2. Power-off and boot from a trusted offline media (WinPE, ESET SysRescue, or Bitdefender Rescue CD).
  3. Run a full offline scan using one of the updated Stop-Djvu removers (Emsisoft Emergency Kit, Malwarebytes, or Kaspersky Rescue Tool).
  4. Clear persistence artefacts that commonly hide in:
    C:\Users\Public\Libraries\
    • Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, ServiceHost keys).
  5. Patch the entry path (remove cracks, close RDP port, enforce MFA, push out MS17-010 if older Windows).

3. File Decryption & Recovery

  • Recovery Feasibility:
    Offline IDs (when the malware failed to reach its C2 and used a fixed key): decryption IS possible with Emsisoft StopDecrypter (latest build 1.0.0.21, 2024-03-15). Paste one pair of original.file + .charck and the tool finds the kept offline key.
    Online IDs (per-victim key generated via C2): decryption is not possible unless you can retrieve the private RSA key from the operator (extremely rare).
  • How to tell: If C:\SystemID\PersonalID.txt contains an ID ending with t1, decryption is viable. Anything else (long random upper-case string) = online ID.
  • Other Essential Tools/Patches:
    • Emsisoft Decryptor for Stop/Djvu (free).
    • VSS deletion blocker from Microsoft Sysinternals (VolumeID.exe) to prevent shadow-copy destruction next time.
    • Latest Windows cumulative update (2024-05) to kill RIG EK Flash paths.

4. Other Critical Information

  • Unique Characteristics:
    Stolen-data upload: Since late 2019 revisions, some Charck dropper bundles silently exfiltrate Desktop\*, Downloads\*, and <browser profile>\Web Data to mega.nz via megatools.exe before encrypting. Assume data breach even if ransom is paid.
    Ransom Note is exactlyreadme.txt” (not “HelpDecrypt”) placed in every affected folder.
    • Uses pattern wallet 1), wallet 2) & Telegram ID “@datarestore77” (changed over time).
  • Broader Impact / Notable Effects:
    • Over 1 000 confirmed victims in Eastern Europe and Latin America within its first month (recorded by X-Force, July 2019).
    • Because offline keys were dumped freely in June 2021 (South-Police seizure), 9 % of survivors managed 100 % file retrieval—still the best public note for any Djvu strain.
    • Its codebase is reused in most Stop/Djvu variants (.gucci, .zobm, .peet), so hardening against .charck almost always prevents the rest.

Takeaway
If you see “.charck,” you’re dealing with Stop/Djvu 2019H2. Neutralise infection using the offline Emsisoft tool if the ID ends with t1; otherwise rely on clean backups and enforce layered controls to block future seed vectors (phishing & piracy).