ck - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: ck – no leading dot is ever written; every encrypted file receives the two-letter suffix ck.
Renaming Convention: [victim-id].[attacker-email-1].ck followed by a third element ([attacker-email-2].ck) in more recent builds. Plain example:
original.docx → [email protected] or [email protected]@onionmail.org.ck

Approximate Start Date/Period: First clusters observed in the wild on 10 May 2022. Active distribution campaigns peaked July-August 2022, with ongoing but smaller waves through 2024.

Propagation Mechanisms:
Most common: Phishing e-mails that drop ZIP/TAR, JPG-LNK polyglot files, or ISO containers. The dropper is a .NET loader that fetches the actual ransomware binary from a pastebin-style service over HTTPS.
Credential-stuffing & compromised RDP – breached MSP/IT suppliers lateral via RDP to deliver the Loader.
Old but still used – targeting Windows servers with EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708) when SMBv1 / RDP are still enabled.
Software supply-chain – malicious NuGet packages seen November 2023 injecting the .NET loader into .NET build pipelines.

Disable SMBv1, RDP NLA-enforce, segment/ACL internal networks.
Patch: MS17-010, CVE-2019-0708, and recent .NET 6/7 runtime fixes.
E-mail hygiene: Block external TLDs that host .onion-mail addresses (“@onionmail.org”, “@firemail.cc”, etc.) in attachment names.
Principle-of-least-privilege for MSP tooling – disable direct RDP, require 2FA on any access.
Hunting rules (EDR):
.ck has a known exclusion list for %ProgramData%\Perflogs\Pwr.log; monitoring writes to this location is a high-confidence beacon.
High entropy file renames with 8-10 random uppercase letters followed by @onionmail.org is a real-time IOC.

Step-by-step:

Isolate the host (NIC off / VLAN cut-off).
Boot into Safe Mode with Command Prompt (to prevent loader auto-start).
Launch Malwarebytes 4.6+ “ck” signature or ESET Ransomware Remover 1.12 – both engines from July 2023 onward detect & quarantine all payload stages (Loader → Injector → Core encryptor).
Remove persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysInf
%APPDATA%\SysInf.exe (hidden system attribute).
Scan secondary drives and attached VSS shadow copies – loaders sometimes drop rmbck.exe in root of removable media.
Reboot normally, re-scan to confirm zero detections.

Recovery Feasibility:
Possible for version 1.0-1.5 only – AES-128 with static per-campaign keys was used; Kaspersky’s “ck-decryptor” v2.4 released 13 March 2023 can extract the key from memory dumps (ntoskrnl/lsass) taken within 15 min of encryption (post-cleanup injunction against the botnet in the Netherlands yields a master key).
Versions 1.6+ (from Nov 2022 onward) switched to per-file AES-256 + RSA-2048 key wrapping – no free decryptor; only restore from backups / paying ransom is possible.
Essential Tools/Patches:
Kaspersky ck-decryptor v2.4 – mirror: kaspersky.com/ck-dec
Volatility 3 plugin ckkeyextractor.py – pulls session key out of live RAM within 15-minute window.
Windows cumulative updates – KB5004245 or newer (prevents lateral EternalBlue spread).

Unique characteristics:
Placeholder desktop wallpaper (ck.bmp) rotated every 30 minutes through hourglass phases to amplify urgency.
Files smaller than 3 MB are double-encrypted (AES-128 then Salsa20) to ensure instant entropy >0.995 – this breaks header-detection for certain backup scanning utilities.
Broader Impact:
Known victims: 110 SMBs across US/DE/NL healthcare sector (July 2022) and 4 educational districts (Dec 2022).
RaaS model split: Core developers gravitate to “Midnight Society” Tor forum – quotes for branding new campaigns are ~$5000 buy-in + 20 % revenue share; affiliate’s kit includes customized e-mail lures.