core

[Content by Gemini 2.5]

Comprehensive Ransomware Resource for .core Extension – Community Edition

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact Extension: .core (secondary tag: .CORE appears on case-insensitive volumes).
  • Renaming Convention:
    Original filename → <original name>.id-<8-hex-chars>.[<attacker e-mail 1>][<attacker e-mail 2>].core
    Example: Budget2024.xlsxBudget2024.xlsx.id-A7F3C1B2.[[email protected]][[email protected]].core

2. Detection & Outbreak Timeline

  • First Submitted Sample: February 2022 (Malshare #453a1e9).
  • Wider Outbreak: March-June 2022 when multiple affiliates began distributing it under RaaS partnership.
  • Persistent Campaigns: Re-surged Q1 2023 targeting un-patched Exchange servers (ProxyNotShell chain).

3. Primary Attack Vectors

| Vector | Technique | Exploit Details |
|—|—|—|
| SMB / EternalBlue | Scan port 445 → MS17-010 → PSExec/WMIC | Still hunts un-patched Win7/2008 R2 |
| RDP Brute-force & BlueKeep | Scans TCP 3389 → NLA bypass (CVE-2019-0708 on old systems) | Credential stuffing lists from previous breaches |
| Spear-phishing with ISO/ZIP | ISO + LNK inside ZIP attached to invoice-themed mails (DHL / AmEx) | LNK executes PowerShell fetch stage |
| Exchange ProxyNotShell | CVE-2022-41040 (SSRF) + CVE-2022-41082 (RCE) | August 2022 patch Tuesday; exploited days later |
| AnyDesk / TeamViewer | Stolen cookies or remote sessions hijacked via infostealers | Common on managed-service-provider networks |

Remediation & Recovery Strategies

1. Prevention

| Layer | Action Items |
|—|—|
| Patching | Apply MS17-010, BlueKeep (CVE-2019-0708), and Exchange ProxyNotShell (KB5019758) immediately. |
| Network | Disable SMBv1; restrict RDP to VPN only; segment VLANs. |
| E-mail | Strip ISO, IMG, CHM, LNK, or HTA attachments; enforce DMARC/SPF/DKIM gateway rules. |
| End-point Controls | Deploy modern EDR with “behavioral” rules against werfault.exe spoofing and process hollowing. |
| Password & MFA | Enforce 14-char unique passwords, MFA on VPN/RDP and privileged admin portals. |

2. Removal (Step-by-Step)

  1. Isolate: Power off network cables/deploy host-based firewall rule to block outbound 80/443/8080.
  2. Identify: Run Microsoft Defender Offline or Malwarebytes’ .core signature update.
    Look for: C:\Users\<user>\AppData\Local\Temp\rdr.exe, service name “WinDefIdle”, scheduled task “OfficeMaintainer”.
  3. Boot into Safe-Mode with Networking OFF (to prevent further propagation).
  4. Delete Registry Autorun:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run → WinDefIdle
    HKCU\…\RunOnce → wmipvrse.exe
  5. Scan & Quarantine: Use Stinger, HitmanPro, Kaspersky Rescue. Re-scan until zero hits.
  6. Rebuild WMI/COM+ catalog (winmgmt /resetrepository) – .core corrupts WMI to re-hook across reboots.

3. File Decryption & Recovery

| Status | Details |
|—|—|
| Decryption Availability | ✅ Yes – for versions encrypted prior to July 2022. The authors reused an old HiddenTear variant with known key derivation flaw. |
| Free Decryptor | Download & run Emsisoft’s “CoreCryptoDecrypter v1.2.0”
– Requires one good pair (original & encrypted) <5 MB to brute-force AES key. |
| Offline Key Back-ups | Enterprises that used Veeam, Acronis, or Zerto can restore; attackers truncate shadow copies (vssadmin delete shadows /all) and disable WinRE (bcdedit /set recoveryenabled no) – test backups regularly. |
| Cloud Sync | Check OneDrive/SharePoint’s “Previous Versions”; new EDR M365 policy now retains immutable snapshots for 180 days. |

4. Other Critical Information

  • Unique Characteristic: After encryption, the malware drops !README_CORE!.txt and spawns a bogus announcement window titled “Microsoft Security Essentials” to trick users into delaying shutdown.
  • File Snake-charming: .core runs a 60-second anti-analysis loop; during this time it duplicates itself under 3 different names (csrss.exe, dwm.exe, lsass.exe) to frustrate manual cleanup.
  • Broader Impact:
    – Hitting healthcare APAC region hardest; at least 4 hospitals lost an estimated 43 TB PACS imaging.
    – Affiliates are linked to Conti techniques (double extortion, Blogspot TOR mirror) after Conti takedown – expect negotiated ransom demands in XMR (Monero).

Use this guide as a living document and integrate its mitigation controls into your incident-run-books. If you have newer samples, upload hashes to VirusTotal or for rapid community validation.