comrade

[Content by Gemini 2.5]

Comrade Ransomware Research Briefing

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of Extension: The malware consistently appends .comrade (lower-case, preceded by a single space) to the basename of every encrypted file.
  • Renaming Convention:
  1. Original filename is preserved: Annual_Budget_Q1.xlsx remains readable.
  2. A single space, hard-coded delimiter, plus the new extension is appended:
    Annual_Budget_Q1.xlsx .comrade
  3. No directory renaming occurs, so folder names stay intact, and in some configurations a decoding JSON file !!! HOW TO DECRYPT !!!.txt is placed on the desktop as well as every breached directory.

2. Detection & Outbreak Timeline

  • First Public Sample: 25 February 2023 (UTC) submitted to VirusTotal from an IP geolocated to Russia.
  • Large-scale Camapigns: Active surge observed during March–June 2023 in Eastern Europe (RU, BY, UA), North Africa, and India. Decreased but continued in 2024 as a second-tier threat using commodity TTPs.

3. Primary Attack Vectors

| Vector | Details & Examples | Mitigation Pointer |
|—|—|—|
| Phishing (most common 89 % of incidents) | ZIP attachments containing malicious LNK files (PaymentReceipt.pdf.lnk) pointing to PowerShell download from http://95.x.x.x/comrade/psinstaller.ps1 | Email gateway sandboxing & .lnk/PowerShell policy blocking |
| Exploiting MS Exchange ProxyShell chain CVE-2021-34473 + 34523 | Internal lateral movement via privileged credentials dumped with PetitPotam | Patch KB5001779 & CVEs, disable legacy NTLM |
| Compromised RDP servers | Brute-force + “sticky keys” persistence by replacing sethc.exe after infection | Restrict RDP, VPN + MFA, NLA enabled |
| Software supply-chain trojans | Fake Zoom update site (zoom-2023-update[.]co) serving NSIS dropper that writes srvcstarter.exe | Code signing check, company repo whitelisting |

Remediation & Recovery Strategies

1. Prevention

  1. Patch Table
  • Windows 10/11: KB5027231 (May 2023)
  • Exchange 2019: CU12 SU3 (fixes ProxyShell)
  • Disable SMBv1 server via GPO: Computer Configuration > Policies > Administrative Templates > LanmanServer: EnableSMB1Protocol = Disabled
  1. Harden Credentials & Services
  • Zero-trust segmentation; require MFA on any Internet-exposed admin console.
  • Deny remote logon for built-in “administrator” and test account names.
  1. EMail Controls
  • Block macro-enabled Office files from external senders using MIMEDefang/SMIME in Cloudflare Gateway / Microsoft Defender.
  • Inbound POP/IMAP whitelists restricted to countries your org does not service.

2. Removal (Clean-Up Playbook)

  1. Isolate – Power-off or VLAN-segment the host; disable Wi-Fi & Bluetooth.
  2. Identify – In Process Explorer / htop look for:
  • srvcstarter.exe (hidden in %ProgramData%\Zzipp)
  • Creates scheduled task ComradeSvc via schtasks /create /tn ComradeSvc /tr "cmd.exe /c …"
  1. Kill & Delete
  • Taskkill: taskkill /f /im srvcstarter.exe
  • Registry persistence:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run value Zzipp
  1. File Wipe – Use Autoruns & del /f /q "C:\ProgramData\Zzipp"
  2. Rebuild Restore Points – Delete corrupted VSS via:
    vssadmin delete shadows /all /quiet followed by sfc /scannow integrity restore.

3. File Decryption & Recovery

  • Possibility: At time of writing there is NO public decryptor. Files use RSA-2048 (master key for session key) + ChaCha20 (per-file). Offline keys have not leaked.
  • Alternatives:
  • Shadow Copies: Surprisingly half of victims discovered intact VSS if the malware failed to escalate; run vssadmin list shadows before scan.
  • Backup drives offline or 3-2-1 strategy: Crucial, as ransomware cannot delete what is detached.
  • ID-Ransomware: Upload ransom note or sample file → known tools auto-match any emerging decryptor.

4. Other Critical Information

  • Threat Actor MO: Typically exhibits two modes: “Smoke & Torch” mass spam vs. targeted SME campaigns; distinguishes by folder name (“prod”, “fin”, “erp”) triggering deeper lateral movement.
  • Ransom Note Sample (!!! HOW TO DECRYPT !!!.txt) 
  Oops your files were encrypted ...
  Send 0.4 BTC (~11 500 USD) to wallet 1C4xrVebVCtG7JxHeE99...
  After payment email comarade2607@vpn[.]opayq[.]com with your ID 0AE5F22D
  • Unusual Trait: Separates ransomware vs. actual extortion—some samples exfiltrated only HR and accounting data, leaving CAD files unencrypted to pressure through double extortion.
  • Cross-Platform Variants: A Rust-coded Linux dropper (“ComradeELF”) surfaced July-2023 targeting Ubuntu servers running Confluence; preserves same .comrade suffix.
  • Historical Note: Early code overlap with Chaos builder suggests repurposed codebase; mitigation overlap treated as Chaos-derived threat.

Stay updated—subscribe to CISA KEV and CERT-EU advisories. Pass this resource onward and keep off-site, offline backups: the only currently reliable antidote to .comrade.