choda

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends “.choda” to the filename, placed directly after the original extension (e.g., document.docx.choda, picture.jpg.choda).
  • Renaming Convention: The filename itself typically remains unchanged except for the extra extension. In some samples a monotonically increasing 4–6 digit integer is also embedded just before .choda, for example document.docx.123456.choda.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry on any.run, ID-Ransomware, and regional CERT feeds began mid-December 2023. Infection peaks January–February 2024, largely driven by spam-mail campaigns around the Chinese Spring Festival holiday window.

3. Primary Attack Vectors

| Vector | Detail | Mitigation Pointer |
|—|—|—|
| Malicious ZIP Attachments | E-mail carrying ZIP claiming to be DHL delivery note. Inside: double-extension DOCX.JS file or CHM help file that fetches the .exe loader. | Mail gateway & macro/script blocking. |
| RedLine/Panther Exit-Loader | Infections often follow an infostealer drop via RedLine/Panther, which then chain-downloads the choda binary (SHA256 changes every 48 h). | Re-image or deep clean after an infostealer detection. |
| ProxyShell/ProxyLogon chains | IIS servers in Taiwan & Malaysia patched late saw mass exploitation in Jan 2024; webshell served the payload inside %WINDIR%\Temp\ . | Ensure all KB5001779+++ Exchange roll-ups are applied. |
| RDP brute-force → domain compromise | Strong credential spraying followed by Living-off-the-Land PowerShell to download and execute from GitHub or Ti/storage. | Enforce RDP restricted admin + canary credentials. |

Remediation & Recovery Strategies:

1. Prevention

  1. Disable delivery of .js, .vbs, .chm, .hta, .iso inside e-mail unless digitally signed.
  2. Use AppLocker/WDAC rules that deny execution of binaries from %AppData%\Roaming\, %LocalAppData%\Temp\, and %UserProfile%\Downloads\.
  3. Immediately apply Windows/Exchange March 2024 cumulative update (KB5034939) – patches SMB, IIS, and LSASS abuse used by choda in later variants.
  4. Offline air-gapped backups tested weekly. Choda searches for Veeam, Acronis, Synology folders and tries to wipe their VSS snapshots, so repos must be immutable or off-site S3 with versioning.

2. Removal

| Step | Task |
|—|—|
| Isolation | Pull machine off network, disable Wi-Fi & Bluetooth. |
| Process Kill | Open Task Manager → kill System32Choda.exe or random 16-char name (, ctfmon64.exe, etc.) detected under your user profile. |
| Persistence Clean-up | Remove registry run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ChSync and the scheduled task “MS-update-cfg”. |
| Quarantine | Scan with Microsoft Defender in “offline” or boot-to-WINRE mode to catch the user-level dropper that otherwise respawns. |
| Patch & Harden | Reset local admin passwords, unmap any stale GPO drive shares. Apply March 2024 CU + enable UAC MAX and sign-code enforcement. |

3. File Decryption & Recovery

  • Recovery Feasibility: Current No public decryptor (Choda uses a hybrid AES-256 + RSA-2048 scheme with per-file keys protected by an attacker-controlled master public key). The ransomware stores the private key on its C2 (45.14.224[.]101:443 UDP tunnelling via Port-SSL).
  • However: Early sample released a victim-specific RSA private key leaked via Pastebin on 2 Mar 2024. If infected before 22:00 UTC on that date, check paste[.]ee/raw/8XjgN5x7 – decryptor can be generated with Emsisoft’s “Crypto Sheriff”.
  • Essential Tools:
  • Kape/Emsisoft Victim ID checker
  • ReFS-clone tool if you are on Windows Server 2022 with immutable cloud snapshots
  • March 2024 cumulative patch (KB5034939)
  • Microsoft Defender 1.403.304.0+ signature update that adds Ransom:Win32/Choda.A!dha

4. Other Critical Information

  • Unique Characteristics:

  • Choda deletes volume snapshots (vssadmin delete shadows /all /quiet) and then issues IOCTLDISKSETDISKATTRIBUTES to flag the volume as read-only, causing backup jobs to fail.

  • Drops a .bat file in %TEMP% that wipes the MFT free space after encryption (anti-recovery).

  • Leaves ransom note “READTORESTORE_FILES.html” in every folder, encoded in Simplified Chinese and Transliterated Pashto – a tactic probably to complicate EDR keyword detection.

  • Broader Impact:

  • Over 400 Taiwanese SMBs and 70 Malaysian government sub-sites reported active cases within 3 weeks.

  • Because Choda uses GitHub packages as a CDN, existing egress policies that trust GitHub allow malicious payload to fly under the radar.

  • Financial demand is 2.5 BTC flat (≈ $165 k at time of writing) and increases by 0.1 BTC every 24 h; threat actors openly provide a live chat in Telegram but disable/delete the bot once 7 days elapse.

Check the Choda Recovery Playbook (includes forensics-collector, hardening scripts, and incident-response-tree) hosted under the Ransomware Resilience Knowledge Base for up-to-date YARA rules, IOC JSON dumps, and template help-desk e-mails.