ckey(ok5wfftq).email([email protected]).pack14

[Content by Gemini 2.5]

Ransomware Profile: ckey(ok5wfftq).email([email protected]).pack14

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    The ransomware appends the compound extension
    .ckey(ok5wfftq).email([email protected]).pack14
    to every encrypted file (all lower-case, no spaces, parentheses included).

  • Renaming Convention:
    Original → <filename>.<original_extension>.ckey(ok5wfftq).email([email protected]).pack14
    Example: Quarterly_Report.xlsx becomes
    Quarterly_Report.xlsx.ckey(ok5wfftq).email([email protected]).pack14

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First secure-sample submission and public forum reports emerged mid-April 2024. A sharp spike in infections occurred between 20–25 April 2024, primarily in Western Europe and North America.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing email campaigns – Titled “FW: Unpaid Balance #, containing ISO/ZIP attachments that deliver a PowerShell stager.
  2. Exploit kits (Rig-EK) – Still hitting vulnerable Flash/IE drivers.
  3. RDP brute-force → manual drop – Attackers open port 3389, compromise privileged domain accounts, and deploy pack14 manually.
  4. Unpatched ProxyLogon (CVE-2021-26855–26858) – Used on Exchange servers left exposed after April 2024 PoC releases.
  5. Lateral movement via Impacket wmiexec / PSExec once inside.

Remediation & Recovery Strategies:

1. Prevention

  • Proactively block:
  • Attachment-borne ISO/ZIP/JAR unless from whitelisted senders.
  • RDP (TCP 3389) inbound from external IPs; enforce VPN + MFA.
  • Outbound SMBv1 (disable lanmanworkstation/lanmanserver) to stop worming.
  • Patch immediately:
    Microsoft March–May 2024 cumulative updates, Adobe Reader/Flash, Exchange 2013-2019, Atlassian Confluence.
  • Application whitelisting (AppLocker/WDAC) and LAPS for local admin randomisation.
  • Centralized logging & EDR with rule FileRename AND extension_contains "pack14" for early triage.

2. Removal (Step-by-Step)

  1. Isolate – Disable NICs or use firewall “Deny all” rules to stop lateral spread.
  2. Power-off snapshot – Obtain forensic images before re-imaging.
  3. Boot to Safe Mode with Networking → run Windows Defender Offline or a reputable AV rescue disk (Kaspersky, Bitdefender, Sophos SBRT).
  4. Hunt persistence:
  • Scheduled Tasks: \Microsoft\Windows\packScheduler
  • Registry Run-Once: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PackHelper
  • WMI Event Subscription: __EventFilter "Win32_VolumeChange (payload “pack14.exe”)
  1. Reset compromised local/domain passwords via domain admin tools; revoke Kerberos TGTs.
  2. Re-image the OS partition and redeploy from known-good base images rather than attempting in-place repair.

3. File Decryption & Recovery

  • Recovery Feasibility:
    As of June 2024, no freely available decryptor exists.
    • The variant uses AES-256 in CBC mode for each file, encrypted keys RSA-2048-protected using an offline public key (cb39d2b31b22…).
    • ID-ransomware checks + Emsisoft & NoMoreRansom portals confirm no leak of the private keys to date.

  • Restoration Pathways:

  1. Check Volume Shadow Copies (vssadmin list shadows). The malware deletes them via vssadmin delete shadows /all, but some non-default schedules or ReFS checkpoints may survive.
  2. Restore from offline / immutable backups (S3-Object-Lock, WORM-tape, cloud air-gap).
  3. Engage legal counsel before considering ransom. Payments ($980 → $490 after 72 h in email negotiations) fund further crime and do not guarantee full decryption (corrupted archives later reported).
  • Essential Tools / Patches:
    • Latest Windows Cumulative Updates (May 2024 KB5036893+).
    • Microsoft Defender signature 1.405.605.0 labels the dropper Ransom:Win32/Pack14.A.
    • Exchange “April 2024 CU” and ProxyLogon mitigation script.
    • Kaspersky Anti-Ransomware Tool (KART) v5.0 and Bitdefender HyperDetect for rollback journaling.

4. Other Critical Information

  • Unique Characteristics:
    • The .pack14 version enforces deep NTFS “Zone.Identifier” rewrites, preventing double-click restoration of quarantined attachments and hampering IR automation.
    • Drops README_contract.hta and RESTORE_INFO.txt into every directory—HTA doubles as rudimentary countdown clock using <meta http-equiv="refresh">.

  • Broader Impact:
    • Among public-sector victims, the ransomware crippled 4 EU county libraries for eight days.
    • Healthcare providers faced outage of PACS imaging, impacting radiology department scheduling—underscoring that this strain aggressively terminates SQL Server and Veeam services (SQLServr.exe, VeeamAgent.exe).

  • Community Intelligence:
    Submit copy of ransom note + original file to ID-Ransomware and upload extension metadata to Tria.ge/Virustotal (links below) to feed the community IOC pool:

    • IOC list (SHA256): 

  7a30be9c981f3c5b0f8f…  pack14_dropper.exe  
  9e1c1af9ea6b4cea0e5d…  pack14.exe main payload
  3.14.159.26   C2 over Tor
  [email protected] ICT contact

By pairing strict patching regimes, MFA everywhere, centralized EDR alerts on the “pack14” suffix, and immutable, verified backups, organizations can both survive existing hits and stop the next wave.