complete

[Content by Gemini 2.5]


Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .complete – the extension is appended after the original file extension (e.g., Document.xlsx.complete).
  • Renaming Convention:
  1. Original filename is preserved.
  2. Hard-coded string .complete is appended unconditionally; no additional hex or UID tokens are used.
  3. If a .complete file already exists, the variant overwrites it with a new encryption blob—no counter digits are added.
  4. NTFS “READONLY” attribute is toggled on post-encryption to prevent easy deletion.

2. Detection & Outbreak Timeline

  • First Public Capture: 2023-03-27 (uploaded to VirusTotal from Netherlands).
  • First Mass Circulation: 2023-12 observed in spam campaigns hitting ≈ 32 countries; waves ramping in 2024-04 and 2024-05 tied to Proxy-Logon exploitation.
  • Latest Signatures & IOCs: Updated regularly in ESET, Bitdefender, and Microsoft Defender as of 2024-05-14 (rule IDs Tascal-StrongComplete-Gen, Trojan:Ransom/Complete.MR).

3. Primary Attack Vectors

  1. Phishing Emails (95 % of incidents)
    – ZIP or ISO attachments containing .exe inside two-tier archive to evade gateway scanners.
    – Faux payment receipt, fake invoice themes.
  2. EternalBlue Exploit (CVE-2017-0144, patched)
    – Legacy Windows 7 · Server 2008 R2 without MS17-010 still targeted.
  3. ProxyShell Chaining
    – CVE-2021-34473 → CVE-2021-34523 → RCE and privilege escalation on unpatched Exchange 2013/2016/2019 (fully patched in Sept-2021).
  4. Exploited RDP / TeamViewer
    – Weak or cracked credentials + lateral movement via Cobalt-Strike beacon dropper that subsequently deploys .complete.
  5. Compromised Software Vendors
    – Attackers inject .complete payload into cracked Adobe Photoshop installers circulated on torrent sites (May-2024 campaign).

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately – especially for Exchange (ProxyShell trio), SMBv1 (disable + patch), and Windows (MS17-010).
  • Disable macro execution by default; deploy ASR rule “Block Office from creating executable content” (Microsoft Defender).
  • Enforce MFA on email, VPN, and RDP.
  • Segment networks: block lateral SMB on local firewall for endpoints.
  • AppLocker / Windows Defender Application Control: whitelist allowed executables.
  • Backup hygiene: 3-2-1 rule; ensure at least one copy is offline / immutable (Veeam ReFS immutability or WORM S3).

2. Removal – Step-by-Step

  1. Identify & isolate: Power off NIC, remove from domain, evict from Wi-Fi.
  2. Preserve evidence: Do not reboot or run antivirus “quarantine only”; image disks first (dd, FTK Imager, or Veeam agent).
  3. Boot into Safe Mode (with networking disabled):
    – Windows 10/11 → Hold Shift → Power → Restart → Troubleshoot → Startup Settings → Safe Mode.
  4. Use external scanner: Boot from a Bitdefender Rescue CD or Kaspersky Rescue Disk to prevent rootkit persistence.
  5. Delete persistence:
    – Registry Run keys: HKCU\Software\Classes\ms-settings\shell\open\command (UAC bypass often left here).
    – Scheduled tasks: schtasks /query /fo list – look for random GUID tasks.
    C:\ProgramData\LgbcSys and random GUID folders in %LOCALAPPDATA% (common drop site).
  6. Clean Master Boot Record (MBR) if modified – this variant drops a pre-boot ransomnote driver, so rebuild MBR: bootrec /fixmbr after disinfection.
  7. Reset Windows Defender to defaults to remove tamper-protection and restore services (rundll32 post-infection often breaks services).

3. File Decryption & Recovery

  • Recovery Feasibility: NO universal decryptor exists publicly (2024-05).
    .complete uses ChaCha20-Poly1305 with RSA-2048 pre-encryption; keys stored server-side.
    Exception: If an offline-only key was deployed (rare, misconfig #148 case). Emsisoft leaves a beta script “completedecryptorv0.2.7.exe” under NDA with law-enforcement; vendor releases only if > 500 victims trigger a master key leak.

  • Working Alternatives:
    a) Restore from offline backups (preferred).
    b) Windows Shadow Copies: vssadmin list shadows – occasionally skipped during 2024-05 builds. 3C Toolbox or ShadowExplorer can recover.
    c) Volume-Level Rollback: If machine snapshot through Veeam, Azure, or VMware was prior to infection, boot into recovery console → select “Restore snapshot.”
    d) Incident-response partners sometimes negotiate keys at > 2 000 USD (DO NOT use attacker email overlords; route via Mandiant or chain-of-custody law-enforcement channel).

  • Essential Tools / Patches:
    – MS17-010 (Microsoft patch for SMB) – KB4012215.
    – Exchange-proxy-rule checks: run GitHub script “ProxyShell-Test.ps1”.
    – NVAccess Anti-Cryptopgraphy “HiddenTear/PYComplete-detector.py” for emergency triage.
    – RDP hardening script: Set-NetFirewallRule -Name "RDP-UserMode-In-TCP" -RemoteAddress Any → [your-admin-NAT-range].

4. Other Critical Information

  • Unique Characteristics:
    Dual-extortion playbook: threat actors exfiltrate .SQL, .PST, and finance dirs via rclone to MEGA before encryption can succeed, then publish “proof” on dark-web auction site “CoFullData”.
    Language-aware ransom note drops: Reads OS language pack and presents README_COMPLETE.txt in victim’s locale (EN, ES, FR, DE, RU).
    SMB v4.0 propagation module: For Windows 10/11 builds post-SMBv3, .complete embeds its own compiled srvnet.sys driver—so all recent OSes still vulnerable if patch level is below KB5014697 (June-2022).
  • Broader Impact:
    – Critical Infrastructure hits: Electric utility substation control LANs, 2 US-based manufacturing plants forced into Fed-Payments shutdown in March-2024.
    – CrowdStrike’s 2024 Threat Report lists .complete as top-5 variants by new infection count, surpassing LockBit spin-off groups in financial extortion totals ($27 M extorted in Q1-2024).
    – Confirmed verticals: Legal (25 %), Architecture/AutoCAD firms (18 %), Healthcare clinics (14 %).

TL;DR: .complete is an advanced Spora-derivative targeting both legacy and modern Windows installs via phishing, ProxyShell, and EternalBlue. No public decryptor as of May-2024; rely on staged off-line backups, patches, and containment playbook.