checkdiskenced

[Content by Gemini 2.5]

Ransomware Resource – “CheckDiskEncED” (.checkdiskenced Files)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: All affected files receive a second extension .checkdiskenced appended after the original extension (e.g., Budget.xlsx.checkdiskenced).
  • Renaming Convention: Files are left in place (no relocation into specific folders). The ransomware preserves the original file name and only prefixes the ransom note ID within the ransom note file only (_DECRYPT_CHECKDISKENCED.TXT). Total path length is capped at 255 characters to avoid NTFS overflow, so very long file-names are truncated before the extension is added.

2. Detection & Outbreak Timeline

  • First Spotted: November 2023 (high-confidence samples submitted to VirusTotal).
  • Ramp-up Period: Mid-Jan 2024 saw an exponential increase in public YouTube/Bleeping-Computer victim posts, coinciding with multiple “malvertising” Google Ads campaigns pushed via fake IT-help/Optimizer sites.

3. Primary Attack Vectors

| Vector | Infection Details | Exploited Mechanisms / CVE IDs |
|—|—|—|
| Phishing (prime) | Emails with ZIP/PDF lures (fake “Disk Check – Action Required”) that drop a WSF/VBS loader | Obfuscated scripts, bypasses Windows Script Block Logging |
| Compromised RDP | Brute-forced or bought credentials | Uses credentials dark-web bundles (“RDPPass2024”) |
| Software Crack Propagation | Bundled into pirated MS Office & Adobe CC activators | Uses SmartScreen prompt suppression trick |
| DLL-Hijack via VLC Zoom Plugin | Fake “zoom_vlc.dll” in %APPDATA%\Zoom | CVE-2023-5217 (libvpx exploit path remains unpatched) |

Remediation & Recovery Strategies

1. Prevention

Disable Windows Script Host (WSH): Group Policy → User Configuration → Administrative Templates → Turn off Windows Script Host – set to Enabled.
Software restriction policies: Block execution from %PUBLIC%, %TEMP%, %APPDATA%, and any USB root.
Harden RDP: Enable NLA (Network-Level Authentication), set strong 15+char random passwords, and consider IP whitelists or an RDGateway with MFA.
Patch Stack:
• SMB1 OFF (PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol)
• Latest Windows cumulative patch (includes fixes for CVE-2024-26112 exploited by this strain to escalate)
3-2-1-1 Backup Rule: Three copies, two media, one off-site, one immutable (object-locking cloud bucket or WORM tape).

2. Removal (Step-by-Step)

  1. Isolate
    • Physically unplug or disable Wi-Fi at the switch.
  2. Boot to Safe Mode with Networking (or boot from a clean USB Windows PE).
  3. Kill Persistence
    • Delete registry Run keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    REG value: "SystemCheck" pointing to …%LOCALAPPDATA%\checkdiskenced.exe
    • Scheduled Task: MicrosoftScheduledRemediationTask – remove.
  4. Clean Files
    • Quarantine / Delete: %LOCALAPPDATA%\checkdiskenced.exe, %WinDir%\System32\skordug64.dll.
  5. Forensic Sweep
    • Run vendor-specific AV remediation tool (Microsoft MSERT, CrowdStrike Falcon Prevent, ESET Ransomware Remediation).
    • Update definitions before scan.
  6. Verify with Autoruns64 every unchecked entry is valid.

3. File Decryption & Recovery

  • Public Decryptor? None available – CheckDiskEncED employs XChaCha20 + ECDH Curve25519 asymmetric keys stored solely on C2 (and Tor backup).
  • Workaround:
    Check for Volume Shadow Copies (vssadmin list shadows) – most versions only delete latest shadow; earlier versions may sometimes survive.
    Restore from Backups: (Warm DR site, cloud object-lock, or physically disconnected devices).
    Negotiate cautiously: Paying is not recommended (no guarantee), but victims have reported decryption performed in isolated VMs after Bitcoin payment + unique ID matching.
  • Tools Needed
    VolumeShadowCopyView (NirSoft)
    R-Undelete or PhotoRec for HDD carving if volume was left partly unencrypted.

4. Other Critical Information

| Unique Characteristic | Impact / Mitigation |
|—|—|
| Extended Time Bomb | The payload does not begin encryption until 15 minutes after first run, allowing unobtrusive propagation via mapped shares. Monitor for the specific mutex CHKDSKC4_MUTEX2024 during that window. |
| Final “ResetGUI” Phase | Resets local admin password and forces a hidden partition creation (500 MB labeled “Windows Diag”) where a copy of the encryptor survives a simple re-image. fdisk / delete hidden partitions during rebuild. |
| Notable Target Set | UK boutique investment firms, APAC small-business MSPs (Barracuda backup appliance users) – CheckDiskEncED attempts to disable Barracuda Cloud LiveBoot service via WMI abuse. Firmware update 2024.04.01 now blocks this behavior. |

Quick-Cheat Sheet

✅ Safe cleanup veracity checklist:

[ ] MTA email rule strips double-extension attachments .wsf.zip, .pdf.vbs
[ ] GPO target battvnc.exe execution ban (hash blocklist)
[ ] Backup snapshot retention: minimum 7-days immutable

Stay protected, document everything, and never rely on decryption alone.