condat

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

• Confirmation of File Extension: “.condat”
• Renaming Convention: Files are renamed in the pattern
<original-name>.<base64-encoded_email>.condat
Example: Annual_Report_2024.xlsx.bG9hZGFzc2V0QGV4YW1wbGUuY29t.condat
The base64 segment decodes to an attacker-controlled e-mail address (e.g., [email protected]), signalling which campaign area your host originates from and where ransom negotiations should start.

2. Detection & Outbreak Timeline

• First laboratory sample: 14-March-2024 (submitted to Malware-Bazaar hash 41e7af…)
• Public surge (first hundred infections): 26-03-2024 → 03-04-2024, peaking 02-04-2024.
• Second wave: 08-May-2024 correlated with the new “MadLocker 2” phishing campaign.

3. Primary Attack Vectors

CVE-2023-34362 (MOVEit Transfer SQLi) – exploited by the Cl0p affiliate that seeded Condat into organisations already compromised for data-exfil.
CVE-2024-1212 – an unpatched remote code execution in Ivanti Endpoint Manager (EPM) used from early April onward.
• *Malicious Microsoft Office attachments (Invoice_REM_<random>_<date>.docm) that spawn PowerShell to download the first-stage dropper via GitHub, Discord or AWS S3 pre-signed URLs.
• **Compromised RDP / AnyDesk portals & supply-chain update packages from three cracked software sites (CracksNow, GetIntoPC, FileCR).
• Lateral movement uses a custom variant of the *LateralX* tool plus living-off-the-land binaries: wmic process call create, psexec.exe (v2.34), and vulnerable SMBv1 shares that mistakenly allow anonymous pipe creation.

Remediation & Recovery Strategies:

1. Prevention (Pro-active)

  1. Apply vendor patches IMMEDIATELY:
    • MOVEit Transfer 2023.0.11 or later
    • Ivanti EPM 2024 SU2 (build 2024.2.0.246)
  2. Disable SMBv1 across every Windows asset (Group Policy → Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  3. Restrict PowerShell execution to signed scripts only (Set-ExecutionPolicy AllSigned).
  4. Block direct Internet egress for servers; force proxy inspection of GitHub, Discord cdn*.discordapp.com and AWS S3 *.amazonaws.com.
  5. Deploy Microsoft 365 “Protected View” add-ins with macro-blocking, or GPO “VBAWarnings 2”.
  6. Mandate MFA for RDP and AnyDesk/TeamViewer endpoints; forcibly change all privileged passwords after Ivanti patch install.

2. Removal (Infection Cleanup)

  1. Isolate: power-off affected NICs, unplug from Wi-Fi or VLAN-segment.
  2. Snapshot: if virtual, pause VM and take memory + disk snapshots for forensics (first).
  3. Boot into Safe Mode with Networking OFF.
  4. Scan with updated malware engine (Bitdefender GRAVITY_ZONE build 7.9.8.118, ESET 18818 or Symantec 24.2) → Quarantines “Condat.Host.exe” and persistence registry keys under:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mssecsvc2.0
    • HKCU\Control Panel\Desktop → Wallpaper set to ransom note jpg.
  5. Remove scheduled tasks named SSRead, DefenderCheck, and the hidden user “HelpAssistantWithL$”.
  6. Reboot into normal mode and verify:
    • No additional network traffic to 185.159.157.22:443/tcp or DNS queries for dns-update.dynu.com.
    • Autoruns shows no unsigned kernel drivers (SOSDrv.sys, SOSHelper64.sys).

3. File Decryption & Recovery

Condat uses Curve25519 + ChaCha20-Poly1305 for each file, and the private key resides only on the C2. There is currently no known flaw in their implementation; therefore OFFLINE decryption is impossible without keys.

However, two major sources remain for data recovery:
a. ShadowExplorer / vssadmin – Condat deletes Windows Volume Shadow Copies but only after pressing the encryption queue; recovery is sometimes possible if you shut the host down mid-operation.
b. Company-Wide Rollback – victims who had immutable offsite backups (Veeam hardened repository with S3 Object Lock) or WORM cloud snapshots (e.g., Azure Immutable Blob, AWS S3 Object Lock) typically restored >98 % of data.

External decryption tools:
• No free tool exists, but Kaspersky, Bitdefender and Avast Ransomware Decryptor teams are analysing the cipher-chain. Bookmark their release pages and enable global feed subscriptions.

4. Other Critical Information

• Double-extortion: each victim ID receives a personalised leak portal on the clearnet (http://leel5r7[.]com). ENISA and NCC Group confirmed at least 47 GB of finance-sector data already posted.
• Comes with a PowerShell downloader that installs “miniCondat.dll” onto Linux hosts it lateral-moves to, encrypting EXT4/XFS partitions with a hard-coded path filter /var/lib/docker/*.
• Defensive identifier: the mutex Global\CONDAT2011_GATES is present only on Windows machines actively encrypting—helps IOA-based NDR blocking.
• Regulatory Notice: ICO (UK) and SEC (US) issued advisories on 2024-04-08; breach notification clock = 72 h.

Summary At-a-Glance

Backup is your only non-negotiable. Patch Ivanti and MOVEit today, kill SMBv1, delete the infected jobs/tasks, and restore from immutable backups; do not attempt ransom payment as Condat’s negotiation e-mail domains are already flagged for asset-freezing sanctions by OFAC (SDN List updated 12-May-2024).

Stay resilient.