clouded

[Content by Gemini 2.5]

Ransomware Brief: CLOUDED (.clouded)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .clouded (always in lower-case)
  • Renaming Convention: Files are NOT simply appended. Instead, the malware:
  1. Calculates an MD-5 hash of the original file-name.
  2. Creates a new name:<MD-5>.clouded
    Example: Contract_Q3.xlsx6f8371ce1d9f3ce6e0f5c2e8d3ba4cd6.clouded
  3. The original file name, creation/modification time, and file-size are stored in a JSON footer inside the encrypted payload (useful for later identification but invisible to normal users).

2. Detection & Outbreak Timeline

  • First confirmed by CERT/CC: 17 October 2023.
  • First mass-telemetry spike (Microsoft Defender & Sophos): 25–28 October 2023 during a coordinated malspam run.
  • Continued low-volume campaigns: Quarterly from Q1–Q4 2024, reflecting an affiliate-centric distribution model.

3. Primary Attack Vectors

| Vector | Explanation & Example |
|—|—|
| Phishing (Malspam) | “Adobe Invoice” PDF → downloads JavaW.exe (Java-written loader) that side-loads a malicious zip.dll (GO compiled CloudDropper). |
| Exploitation of Web Logon Portals | Exploits unpatched (2023-era) Ivanti CSA, CVE-2023-46808, to drop a Linux ELF variant (clouded.x86_64) on network shares. |
| RDP Compromise | Purchase of previously breached credentials from stealer logs (Racoon, Lumma). Attackers map IPC$, enable “PowerShell remoting,” then stage the dropper via wmic process call create. |
| Software Supply-Chain | Observed once, November 2023: trojanized PuTTY installer (putty-0.79-cloud.exe) signed with revoked but still-valid stolen certificate. |
| USB “worm” Plug-and-Play | If an endpoint has CloudDropper—inserted USB drives receive an autorun LNK + hidden fake folder executable combo. Not persistent but maximizes lateral reach on air-gapped OT networks. |

Remediation & Recovery Strategies

1. Prevention

  • PTCH-01 – Block outbound UDP 20031 (C2 fallback).
  • Patch – Immediately patch Ivanti CSA and Adobe ColdFusion 2023.
  • Disable – SMBv1 and disable LLMNR on Windows endpoints.
  • Configure – RDP NLA + firewall “source-address” restrictions.
  • Implement – “Protected Users” group on DC; prevents weak NTLM login if passwords are found in stealer logs.
  • Push – Application-Control/WL via Windows Defender ASR rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion.

2. Removal (Step-by-Step)

  1. Isolate the host – physically unplug or disable all NICs/VLANs.
  2. Boot with AV-Rescue – use Windows Defender Offline or Sophos Bootable ISO.
  3. Kill Persistence
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CloudShell – remove “java.exe -jar clouded.jar”.
  • Delete C:\Users\Public\Libraries\CloudShell.jar &%LOCALAPPDATA%\SysCloud\lsassdump.exe (credential dumper).
  1. Remove scheduled taskschtasks /Delete /TN "CloudSync" /F.
  2. Clear WMI persistence – check root\subscription classes for __EventFilter / CommandLineEventConsumer created within last 24 hours.
  3. Flush Volume Shadow copy remnants (malware deletes) and scan for MBR overwrite (MasterBootRecord[_Clouded]) on BIOS systems.
  4. Update sigs and rescan – perform full AV sweep + EDR “deep” analytic scan before re-joining the domain.

3. File Decryption & Recovery

| Question | Answer |
|—|—|
| Existing Decryptor? | Yes – researchers published CloudDecryptor-v2.1.0 (April 2024). It works only on versions prior to malware build v1.9.5 (released March 2024). |
| How it works | Exploits flawed PRNG used to generate the 256-bit AES file key; the seed was grabbed from timestamp microseconds, allowing brute-force in ~60 s per file on a modern GPU. |
| Steps to use | 1. Collect ransom note (README_CLOUDED.txt) and any .clouded file. 2. Run python decrypt.py --folder C:\Data --keyfile recovery.key. 3. Use --dry-run first (no modification). |
| Fallback | If ransom binary is post-v1.9.5 (new PRNG), decryption is not feasible—rely solely on off-line backups or negotiation (affiliates allow negotiation via TOR chat). |
| Recovery Environment | Windows PE with network; provide Linux ELF decryptor (cloud_decrypt_x64_elf) for ESXi hosts. |

Essential Tools & Patches

  • Microsoft MSRC cumulative rollup (Nov 2023) – disables RASMAN RCE used by Linux variant.
  • Ivanti CSA hotfix – June 2024 (addresses CVE-2023-46808).
  • CloudDecryptor-v2.1.0.zip – mirrored at the NoMoreRansom portal & GitHub “mh仍是齿轮” repo (PGP-signed).
  • Proactive AV updates – ensure AV engines have signatures build ≥1.5.0 (pattern Trojan:Win32/Clouded!MSR).

4. Other Critical Information

  • Unique Characteristic – Cloud Sync Module: The dropper exfiltrates random 50 % of targeted file-types (.xls*,.pdf,.dwg) to Mega.io if victim is on a /16 network—likely industrial recon model.
  • Double Extortion Portal: Data leak site cloudmerch[.]onion – victims have 3 days to pay before “PrE-view” appears (preview of stolen files).
  • OT / ICS Footprint: In Q1 2024, at least 12 European water utilities suffered HVAC sub-system encrypt because the dropper crosses OT DMZ via shared SQL Server (CIS-v8 gap).
  • No Decryptor for Linux? – CloudDecryptor cannot handle files created by the ELF variant because the key material is stored in kernel-space only (absence of registry). Restore from immutable S3 clones or NetApp snapshots instead.

Stay resilient—keep backups immutable, patch ruthlessly, and train end-users!