code

[Content by Gemini 2.5]

Ransomware Profile – “code” (.code) Variant

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends the exact extension “.code” to every encrypted file.
  • Renaming Convention:
    Original: Invoice_2024-05.xlsx
    After infection: Invoice_2024-05.xlsx.code
    No prefixes, infixes, or hex-codes are injected; only the four lowercase characters “.code” are suffixed.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    The .code strain was first submitted to ID-Ransomware and VirusTotal in mid-February 2024. Significant spikes in victim reporting appeared between March–April 2024, indicating a campaign-shift from opportunistic to semi-targeted attacks on small-to-medium businesses (SMBs).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing e-mails carrying ISO, ZIP, or IMG attachments that launch a PowerShell loader. Payload usually named “Factura.exe” or “Order-Details.exe”.
  2. Compromised RDP / VPN credentials (brute-force or credential-stuffing). Once inside, attackers manually drop the ransomware EXE into C:\PerfLogs\ or C:\Users\Public.
  3. Exploitation of unpatched PaperCut NG/MF servers (CVE-2023-27350) seen in several May 2024 incidents.
  4. Living-off-the-land commands to disable Windows Defender via WMIC:
    wmic /namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call RemoveExclusions and Set-MpPreference -DisableRealtimeMonitoring $true.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch externally facing services within 24-48 h (especially PaperCut, Fortinet FortiOS, and any RDP gateways).
    • Enforce MFA on ALL remote access (RDP, VPN, VDI, web admin consoles).
    • Macro-blocking and “Mark-of-the-Web” (MotW) awareness; disable Office macros from the Internet via Group Policy.
    • Application Control (e.g., Windows Defender Application Control, AppLocker) to stop unsigned binaries from running in user-writeable folders.
    • Deploy EDR/NGAV with behavioral-based detection; back it up with a daily, offline/versioned backup regimen (3-2-1 rule).

2. Removal

Step-by-step cleanup once the malware has been identified:

  1. Disconnect affected hosts from wired/wireless network immediately.
  2. Boot from external media (Windows PE or Linux LiveCD) so the ransomware EXE is not running.
  3. Locate the dropped executable(s). Typical names:
  • C:\Users\Public\Libraries\desktop.ini.exe
  • C:\ProgramData\OracleInit.exe
  1. Mount the infected disk read-only and scan with Emsisoft Emergency Kit or Malwarebytes Techbench in offline mode to eliminate binary and persistence_run keys.
  2. Verify no scheduled tasks named “oneDriveUpdate”, “WindowsCleanup”, or “GoogleSync” remain under Task Scheduler > Task Scheduler Library.
  3. Remove rogue registry entries under:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OracleInit
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveProxy
  4. Reboot normally; perform a second AV/EDR full scan to confirm clean slate.

3. File Decryption & Recovery

  • Recovery Feasibility:
    • As of July 2024, no public decryptor exists. Analysis shows .code uses AES-256 in CBC mode for file content and RSA-2048 OAEP to encrypt the AES keys. Private keys are handled server-side only. Victims receive a ransom note Read_The_CODE.txt asking for 2.5 BTC (≈ $165 k) and a TOX ID for contact.

  • Essential Tools/Patches:
    • If backups are unavailable and payment is off the table, maintain the encrypted drives; should law enforcement seize the C2 in the future, released master RSA private keys could enable a Decryptor utility.
    • Keep an offline backup of infected state (cloned drive) to test any future decryptor safely.

    Recommended preventive software updates:
    PaperCut NG/MF 23.0.14+, Fortinet FortiOS 7.2.5 / 7.0.12+
    – Windows cumulative patch KB5034441 (addresses SMBv3 compression heap bug repurposed by attackers).

4. Other Critical Information

  • Unique Characteristics:
    Double-extortion: Exfiltrated data up to ~45 GB via MEGASync API prior to encryption.
    “Code Locker” custom branding inside the ransom note to distinguish affiliates.
    Medium infection radius: often moves laterally to only 3–5 additional hosts to stay under SOC radar before detonating.
    Process blacklist for Termination: Kills certain AV agent services (ESET, BD, KES) via service control manager (SCM) API; makes Fast-Restore harder.

  • Broader Impact:
    • The .code campaign has primarily targeted Law-Firms, Dental Clinics, and Architecture/Engineering firms in North America and Western Europe.
    • Security researchers suspect affiliation with the “Phobos re-branding wave”—the ransom note verbiage, negotiation portal, and ransom amounts are Phobos-like, but the cryptography stack differs (no .NET payload, native C++ instead).
    • IRS (U.S.) issued Alert IR-2024-121 specifically calling out .code ransomware in its April 2024 advisory, urging CPAs and accountants to audit file shares.

Key Take-away:
.code is currently decrypt-proof but removable. Maintain daily, immutable, off-site backups; enforce MFA and patch aggressively to avoid this threat and any derivatives.