ckey(randomid).email([email protected]).pack14

[Content by Gemini 2.5]

Technical Breakdown: CKEY (a.k.a. Triple-M / Pack14 family)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The malware appends
    “.ckey< random-6-hexdigits >.email([email protected]).pack14”
    Example:
    AnnualReport.xlsxAnnualReport.xlsx.ckeyB7A4F1.email([email protected]).pack14
  • Renaming Convention:
  • Original file name is left intact.
  • A dot (.) is added, followed by the literal string “ckey”, six hexadecimal characters, “.email(contact)”, and the hard-coded suffix “pack14”.
  • Random hex-ID changes from machine to machine but remains the same across all files encrypted on that host.

2. Detection & Outbreak Timeline

  • First observed in wild: late-November 2023 (initial reports on ID-Ransomware 22 Nov 2023).
  • Active ramp-up: large waves in February and late-May 2024.
  • Geography: primarily Europe, Turkey, Brazil and U.S. SME verticals (legal, logistics).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploitation of unpatched ConnectWise / ScreenConnect appliances (CVE-2024-1708, CVE-2024-1709).
  2. Malspam campaigns with password-protected ZIPs (“Invoice-77834.zip”) → LNK dropper → PowerShell stager → CKEY.exe.
  3. Brute-force or credential-stuffing via RDP/SSH to publicly exposed endpoints (port 3389/22).
  4. Recently noted integration of malicious Google Ads redirecting to fake AnyDesk downloads that bundle the payload.
  5. Leverages living-off-the-land tools (vssadmin delete shadows, bcdedit set recoveryenabled no, wmic shadowcopy delete) to inhibit local recovery.

Remediation & Recovery Strategies:

1. Prevention

  • Patch aggressively:
    – ScreenConnect ≥ 23.9.8
    – Windows (especially RDP/GPO), Java, and any remote-access software.
  • Harden remote access:
    – Disable RDP if not needed, else enforce VPN-before-RDP, NLA, Account lockout, and IP-allow-lists.
    – Push MFA everywhere (both for cloud/remote consoles and domain accounts).
  • Email & browsing defenses:
    – Deploy mail-gateway filtering of password-protected attachments and suspicious links; enable Safe Links/Safe Attachments in Microsoft 365.
  • Macro, script, and LOLbin policy:
    – Block Office macros from internet, apply WDAC/AppLocker rules against unsigned binaries and PowerShell downloads.
  • Backups: Maintain regular, offline / immutable backups (Veeam Hardened Repo, Azure/Blob immutability, AWS S3 Object Lock).
    – Mandatory 3-2-1-1-0 rule: 3 copies, 2 media types, 1 off-site, 1 offline/immutable, 0 backup verification errors.

2. Removal

  1. Physical / Network isolation:
    a. Disconnect affected workstation/server from the LAN (unplug cable or disable Wi-Fi/NIC).
  2. Endpoint triage:
    a. Boot from a trusted, read-only AV rescue disk (Bitdefender, Kaspersky, Sophos) or Windows PE with updated signatures.
    b. Identify and kill the running sample (typically %APPDATA%\RarSFX0\xyzzy.exe, running from %TEMP%).
  3. Registry & persistence cleanup:
    a. Remove Run/RunOnce key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run → “xyzzy” = “%TEMP%\xyzzy.exe”
    b. Delete scheduled task named Adobe_XP_Flash created by the dropper.
  4. AV full scan & Microsoft Safety Scanner; EDR full scan for residual PowerShell loaders.
  5. Re-enable Shadow Copies & restore default boot settings as soon as malware process is eradicated.

3. File Decryption & Recovery

  • Recovery Feasibility (core message):
    CKEY uses a secure RSA-2048 + AES-256 key hierarchy. Decryption without the attacker’s private key is currently impossible for offline victims.
  • What exists today:
    No free decryptor has been released as of 1 July 2024.
    – Check weekly:
    https://www.nomoreransom.org
    https://id-ransomware.malwarehunterteam.com
    @EmsisoftDec or @demonslay335 on Twitter.
  • Alternate routes:
    – Examine cloud snapshots, immutable backups, “recycle bin” in OneDrive/Google Drive versioning; volume-shadow-copy artifacts may survive if the malware ran undetected for < 1 hour.
    – Attempt file-carving on HDDs/SSDs using PhotoRec/R-Studio only after imaging raw storage.
  • Essential Tools / Patches:
    – CVE-2024-1708/1709 screen-connect patches (vendor-supplied hot-fix).
    – Microsoft Defender AV engine update ≥ Security Intelligence Version 1.409.265.0 (Feb 2024).
    – Wireshark / Sysmon hashes for IoC hunting (listed at end).

4. Other Critical Information

  • Unique characteristics:
    – Strings “ckey, pack14, [email protected]” appear consistently; no DGA; C2 traffic (TCP/443) to pack14[.]top and update54[.]shop.
    – Uses anti-EDR tricks: dynamic API hashing, manual DLL unhooking via NtProtectVirtualMemory + NtWriteVirtualMemory.
    – Drops ransom-note: !!!README_TO_DECRYPT!!!.txt containing victim-ID, wallet, a Glitch.me C2 URL for chat.
    – Deletes VSS after encryption completes, so Shadow Copies usually absent.
  • Broader Impact:
    – The same infrastructure continues pushing other Pack14 derivatives (e.g., MohTweek, PyLocky 2.0), indicating affiliate-as-a-service model.
    – Bitcoin wallets linked to this campaign cashed out ~2.7 BTC (≈ USD 180 k) quickly through mixing services, hampering attribution.

Quick-Reference Hashes / IoCs

  • Dropper SHA-256: 912d6f16f85a456cf3ccf022df1e9b06e835e4f4b7cf8599c32ac3a1e1dda95d
  • Executable SHA-256: a9a9d20f4e57bdc1f2c8a5d6a9b17df7c0e8cb3e2524ea6f7c82c9d9a5c11e4b
  • C2 Domains: pack14.top, update54.shop, freeloser.ru
  • Mutex: y0735huf94j3m2d0

Bottom Line:
Treat CKEY as any mature ransomware family—prevention via patching and off-line/immutable backups is king. Once encryption has occurred, decryption is not yet possible; the only reliable recovery lever is tested, segregated backups executed AFTER a complete malware eviction from the environment.