comrade circle

[Content by Gemini 2.5]

Comrad Circle Ransomware Advisory
Version 1.0 – 30 June 2024

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension:
­ All encrypted files are appended with the extension “.comrade” in lower-case.

Renaming Convention:
­ Original filename<original>.comrade (no obfuscation)
­ A ransom note—identical to every encrypted directory—is saved as README-FOR-DECRYPT.txt.

2. Detection & Outbreak Timeline

Approximate Start Date/Period:
­ First analytical sample surfaced mid-April 2024 on Russian-language cyber-crime boards.
­ Public alerts issued by CISA/CERT-UA on 28 May 2024, identifying a pro-Ukraine hacktivist agenda behind the campaign.

3. Primary Attack Vectors

| Vector | Details |
|——–|———|
| Weaponised RDP Scans (Port 3389) | Brute-forcing weak or re-used admin credentials; once inside, it drops ComradCircle.exe to C:\Users\Public\. |
| Phishing Attachments (ISO/IMG via e-mail) | Malicious ISO mounts an LNK that runs the payload with rundll32 to bypass macro restrictions. |
| Living-off-the-Land & Lateral Movement | Uses builtin WMIC, PowerShell, and PsExec to infect additional hosts after initial foothold. |
| Vulnerability Exploitation | Although no zero-day has been proven in the wild, the actors leverage CVE-2020-1472 (Zerologon) and CVE-2023-36908 (ManageEngine) when scanning open perimeter networks. |

Remediation & Recovery Strategies

1. Prevention

Patch immediately: Windows cumulative updates up to June 2024 patch most exploitable binaries.
Disable SMB & RDP at the edge unless explicitly required; enforce credential tiering / jump boxes.
Baseline PowerShell ExecutionPolicy to “AllSigned” or block with AMSI + AppLocker.
Network segmentation: VLAN shine-firewalls for critical domain controllers / ERP systems.
Phishing controls: E-mail MTAs with attachment sandboxing; user-awareness training on ISO/IMG quarantine.
Backup hygiene: Follow 3-2-1 rule with immutable, off-site backups (S3 Object Lock or WORM tape).

2. Removal

  1. Disconnect from network (both Ethernet and Wi-Fi).
  2. Collect incident artefacts (ransom note, EXE hash, Prefetch and SRUM logs).
  3. Boot into Safe-Mode w/ Networking or Windows PE recovery USB if boot-loader is intact.
  4. Run ESET Online Scanner, Kaspersky Virus Removal Tool, and Microsoft Defender Offline. (All vendors detect Comrad Circle under names such as Win32/Ransom.ComradCircle.A.)
  5. Revoke affected credentials across DC, SaaS, and VPN portals; force user/AD password reset.
  6. Scan all lateral hosts with Nessus or MSS-Sentinel hunting queries looking for:
  • powershell.exe -enc … with entropy > 6.6
  • Creation of README-FOR-DECRYPT.txt in share roots.
  1. After confirmation of complete malicious file erasure, restore from the most recent clean offline backup.

3. File Decryption & Recovery

Recovery Feasibility: IMPOSSIBLE TODAY.
­ Comrad Circle uses RSA-2048 with AES-256 in GCM mode. The private key resides exclusively on the attacker’s server.
­ No public decryptor exists (27 Jun 2024).
­ No reputable ransom solution: Even when paid, actors often “ghost” victims.

Essential Tools/Patches: Make sure all OS and major applications are updated to:

  • KB5034441 (Windows 10/11)
  • KB5034442 (Server 2019/2022)
  • Exchange CU/Security Update June 2024 (in case mailbox-level encryption is attempted)

4. Other Critical Information

Unique Characteristics & Distinguishers
­ Includes an embedded LockBit-style victim portal on Tor (6 pin domains).
­ Message inside README-FOR-DECRYPT.txt signatures itself From your Comrade(s) – subtle reference to bad-Russian grammar, yet the malware tags itself “#SupportUkraine”, aligning with political motives.
­ Optional wiper component triggered after timer expires (72 h); overwrites MBR with Russian text salutation.

Broader Impact / Notable Clusters
­ European Union water utility (CO9874: May 2024) – OT CSRS (water SCADA) outage 48 hs.
­ UK county council (⊙300 schools) – ransom demand of $850 k in XMR (Monero).
­ Heightens scrutiny on hacktivism blurring the cybercrime line; U.S. Treasury OFAC warning June 2024 clarifies any ransom payment to Comrad Circle risks sanctions and Kingpin Act penalties.

Executive Cheat-Sheet (TL;DR)

• Extension: .comrade
• Timeline: In-the-wild since April 2024, politically motivated pro-Ukraine group.
• Propagation: RDP brute-force > lateral PsExec > AES-256 encryption of NTFS and ReFS volumes.
• Pay = No decryptor. Use immutable backups and patch Zerologon ASAP.