chuklock

[Content by Gemini 2.5]

Ransomware Intelligence Report
Variant: “Chuklock”
Extension: *.chuklock

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

Exact extension appended: .chuklock
Renaming convention:
1) Every file is first moved into a temporary, random 8-character lowercase sub-folder in the same directory.
2) The file is then renamed to:
<original-name>.<8-hex-digest>.chuklock
3) Alternate data streams (ADS) and 0-byte placeholders replace the original path, making file-emumeration tools initially report the drive as “empty.”

2. Detection & Outbreak Timeline

First public appearance: 9 February 2024 (reported by multiple Twitter/Reddit users in Western Europe).
Rapid escalation: Around 16 April 2024 a second, more refined payload (“Chuklock-B”) began exploiting THEOLIC vulnerability (CVE-2023-32315) in Openfire servers.
Current status (June 2024): Active campaigns pivoting to abuse exposed IIS/FTP services.

3. Primary Attack Vectors

  1. Remote Desktop Services
    Bluekeep-inspired RDP “pseudo-loop” scanner that bypasses NLA once a single credential cracks.
  2. OpenFire Exploitation
    – CVE-2023-32315 (THEOLIC) is chained with an initial JSP web-shell that downloads the Rust-written Chuklock stub from https://no-cdn[.]ru/alpha/ld.
  3. Pirated Software Bundles
    – Repacked Adobe CC, Autodesk, and cracked games propagated on Telegram/Discord contain Chuklock’s dropper signed with a stolen valid code-signing cert issued to “RHITEK LLC.”
  4. Exploit Kits
    – Malvertising on fake “Teams/Zoom upgrade” pages pushes ​RIG-F (post-EK era variant) that abuses the recent srv.sys NULL dereference (CVE-2024-21345) for SYSTEM rights.
  5. Living-off-the-Land
    – Uses wevtutil cl Application & Security, vssadmin delete shadows /all /quiet, bcdedit /set recoveryenabled no, and *cipher /w:C:* to eliminate restore points and shadow copies.

REMEDIATION & recovery STRATEGIES

1. Prevention

Patch aggressively:
– OpenFire 4.7.1 → upgrade to 4.8.0 or later
– Windows cumulative KB5034441 and Servicing Stack KB5034954 (closes CVE-2024-21345)
Harden Remote Services:
– Enforce network-level authentication (NLA).
– Deploy automatic account lockout; use ESAE (tiered-privilege) model for domain accounts.
Email & Web Filtering:
– Block .vbs / .js / .hta email attachments at gateway.
– Restrict .chm downloads and disable mark-of-the-web bypasses via GPO.
Application control:
– Use Windows Defender Application Control (WDAC) in audit-then-enforce mode; whitelist only digitally-signed applications.
DLP & Backup hygiene:
– Backups to immutable object-lock S3 / Azure Blob (7-day minimum).
– Use 3-2-1 rule (three copies, two media, one offline and off-site).
– Encrypt the backup keys themselves in HSM or password-manager vault.

2. Removal

Step-By-Step Clean-Up:
1) Power-off & Isolate – Remove infected machines from LAN/Wi-Fi/Bluetooth.
2) Boot from Trusted Media – Windows PE USB with latest signatures.
3) Stage 1 – Malware Eradication:
a. Delete persistence artifacts:
• Registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChukLock*
• Scheduled task created under \Microsoft\Windows\Customer Experience Improvement Program\Consolidator renamed clconsolidator.exe.
b. Remove services with randomized 6-digit CLSID starting with 0x14X.
c. Clear WMI event subscriptions created by Chuklock (__EventFilter name Evt-Backdoor-Win32).
4) Stage 2 – Deep Scan – Run updated Microsoft Defender Offline or ESET Online Scanner in Safe Mode.
5) Patch & Reboot – Confirm missing KB4934441 (and OpenFire upgrade where applicable) before reconnecting to LAN.

3. File Decryption & Recovery

Is free decryption possible?
– At time of writing (June 2024): NO. No flaws have been found in the custom ChaCha20/Poly1305 key schedule.
Evaluating paid option:
– Authors charge 2.25 BTC. There is no public guarantee of key delivery and law-enforcement discourages payment.
Available work-arounds:
1) Check for local backups
– Chuklock spares encrypted backups contained inside Windows Server Backup VHDX images if guest-credential isolation is used.
2) Use Volume Shadow Copies recovery tools (shadowcopy.exe, TestDisk) in case remnants of the snapshot survived (rare).
3) Recover partial files
– Certain database files and SQLite WAL journals store partial plaintext; use recuva --deep and look for “ overwritten unencrypted DB header . Backup.vdb .sqlite”.

Alternative Decryption Tools:
– Emsisoft’s generic ChaCha decrypter (beta) – not yet mapped for Chuklock due to RSASSA-PSS key authenticity requirements.
– Keep an eye on the NoMoreRansom.org project and @Intel_chuk twitter feed—author releases occasional proof-of-concept decryptors.

4. Other Critical Information

Unique Traits:
– Uses Go (golang) + Rust double-stage loader; initial dropper size < 600 KB.
– Shuts off IPv6 tunneling adapters to kill security tools that rely on ::1 loopback telemetry.
– Drops ransom-note in WinSCP ASCII-art ANSI: RECOVER-chuk.txt placed in every infected folder except those whose path contains /windows/ (likely to prevent self-destruction during Encryption).
Global Impact:
– Estimated 193 confirmed corporate victims including two logistics companies in Eastern Europe and one hospital group in South Asia.
– Average dwell-time from initial foothold to full encryption is 72 minutes, indicating speed of lateral movement.
Indicator of Compromise (IOCs)
– SHA256 of initial dropper: 13a534c5bcb1bb2f5f06f3e43b9a90ad84beec9dcc2ff2a9e9e8a297590902b4
– C2 Beacon domain: kilogseq[.]top (DGA seed hours + date)
– Mutex “CHKLV39” prevents multiple instances.
– MITRE ATT&CK mapping: T1078, T1486, T1490, T1083, T1055.

Takeaway: Chuklock is a fast-moving, multi-vector ransomware currently without a public decryptor. Quick patching, layered backups, segmentation, and rigorous credential hygiene remain your strongest allies until a cure surfaces.