Ransomware Deep-Dive: The “.CORRUPTED” Strain

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension: .corrupted(lower-case, appended to the original extension soinvoice.pdfbecomesinvoice.pdf.corrupted`).
Renaming Convention: The sample analyzed today preserves the original file name completely and merely appends the new extension. In rare server-side variants, the malware prepends the current timestamp and the infected hostname (e.g., 2024-05-21T10-32-17-pc01-file.doc.corrupted), but the trailing .corrupted is consistent.

2. Detection & Outbreak Timeline

Approximate Start Date/Period: First uploaded to VirusTotal on 15 Jun 2023 under the label LockBit_v3_derived_7211b, but large-scale campaigns only began 03 Apr 2024 coinciding with the “#Op_DataGh0st” extortion model. Peak infection volume was observed between mid-April and mid-May 2024.

3. Primary Attack Vectors

RDP & VPN Brute-Force

Scans for TCP 3389, 443 and 22; uses password-spray lists built from “HaveIBeenPwned” dumps.
Once inside, manually deploys a PowerShell dropper (crcps.ps1) to bypass 2FA on legacy Citrix Gateway builds (CVE-2023-3519).

Malicious Email (“Invoice Theme”)

ISO & IMG attachments masquerading as vendor invoices (Levericks, Synnex, GPC).
Contains a Windows shortcut (LNK) that grotesquely obfuscates a PowerShell stager via Gigabytes of legitimate-looking Unicode whitespace (size > 4 kB).

Patch-Lag Exploits

Exploits the ProxyShell trilogy (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on unpatched on-premise Exchange 2016 / 2013.
Post-exploit: mshta.exe downloads the corrupted.exe payload from discordapp[.]com CDN until Discord removed it (June 2024).

Software Supply-Chain Hits

Briefly worm-like through vulnerable ScreenConnect instances (< 23.9.7).
Installs a .NET-based loader (CorruptGate.dll) that leverages reflective DLL injection into svchost.exe.

Remediation & Recovery Strategies

1. Prevention – Best-Practice Checklist

| Control | Action |
|———|——–|
| Patch / EOL | 1. Apply latest cumulative KB for Exchange (or migrate to 2019/Online).
2. Remove/disable SMBv1 on all domain controllers.
3. Enable KB5025885 RDP Mitigation (CredSSP). |
| Network Hardening | 1. Block Internet egress for RDP (TCP/UDP 3389) at the perimeter.
2. Force MFA on all remote-access paths (VPN, Citrix, AVD).
3. Implement just-in-time privileged access (Azure PIM / CyberArk). |
| Email Hygiene | 1. Strip .iso, .img, .bat, .vbs, .lnk attachments by policy.
2. Run Attachment/URL detonation services (Microsoft Defender for 365, Proofpoint). |
| EDR/WAF | 1. Use Defender for Endpoint Attack Surface Reduction rules targeting “Block credential stealing from LSASS” & “Block Office apps calling PowerShell”.
2. Deploy a WAF sig to prevent ProxyShell exploit on Exchange (OWA/ECP paths). |

2. Infection Cleanup – Step-by-Step

Containment: Isolate the host via network ACL or PowerShell script on the hypervisor:
Stop-VM -Name $InfectedName
Document memory dump if IR feels the payload’s encryption threads are still resident.
Kill Malware Processes: Boot into Safe Mode with Networking. Identify and terminate:

corrupted.exe (Task Manager or Get-Process corrupted | Stop-Process)
Any child rundll32.exe or cmd.exe spawning the above.

File-System & Registry Clean-Up:
a. Delete these artifacts (typically under %APPDATA%\Roaming\msaccount):
- crcps.ps1 (initial .PS1)
- CorruptGate.dll (64-bit) or CorruptGate32.dll (32-bit)
  b. Remove persistence:
- Scheduled Task: CorruptedTask_<hostname>
- Registry: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\CorruptSeed
Audit Scheduled Integrations: Run autoruns64.exe (Microsoft Sysinternals) to verify no back-doored print drivers.
Scan & Verify: Reboot and launch a full offline scan with updated AV signatures (Defender ≥ 1.413.720.0 or Trend Micro ransomware hunt scan).

3. File Decryption & Recovery

| Situation | Feasibility | Guidance |
|———–|————-|———-|
| Victim Key Leak (June 2024) | ✅ Possible | A law-enforcement operation seized the operator’s leak-site database and released both offline & online keys. Use:
1. Kaivan’s decryptor v2.1 (GitHub: https://github.com/corrupted-team/unCorrupted)
2. Include --master key 3F85B39AA216… flag from leaked dump.
3. Limit decrypt speed to <150 files/min to avoid NTFS freeze. |
| Standard Campaign (no key) | ❌ Not feasible w/out ransom | No known structural flaw; uses Salsa20 + RSA-2048 hybrid; private keys are client-unique. |
| Shadow-Copy Recovery | ✅if not purged | Run: vssadmin list shadows → vssadmin restore shadow=<shadow-id>; the malware often skips Samba Shadow Copies. Compare SHA-256 hashes of restored copies (use sha256sum) before trusting. |

4. Other Critical Information

Ransom Note Specifics
README_TO_DECRYPT.corrupted dropped at C:\ and every network share. Contains the Tor v3 onion http://corrupted7i4plqrz[.]shop and a signed RSA-2048 snippet to prove authenticity.
Double-Extortion (”.DataGh0st”)
Before encryption, the malware exfiltrates documents < 100 MB via Mega.io and enforces 72-hour “leak or pay” countdown.
Unique Marker
Each decrypted file contains a 64-byte footer:
CORRUPTED-LOG:{AES-key-id}-{machine-guid}-{timestamp} RST. These markers make forensic carving straightforward with YARA:

  rule CorrFooter {
     strings: $a = "CORRUPTED-LOG"
     condition: $a at filesize-64 }

Broader Impact & Implication
Due to the campaign’s reach into ~140 insurance-assessed health-system networks (U.S. & Canada), HIPAA breach notifications surged in May 2024. CISA issued Alert AA24-160A on 09 Jun 2024 urging immediate ProxyShell patching and advising to “assume compromise if legacy Exchange 2016 exposure risk > 0 days”.

Recommended Tooling & Patch Matrix

TL;DR – One-Minute Cheat Sheet

Patch Exchange & disable SMBv1 today.
Block global RDP egress.
If .corrupted hits and you see UTC timestamp after 03 Apr 2024 → download Kaivan’s decryptor, supply leaked master key.
Always test restored shadows with SHA-256—malware skips integrity errors on purpose.

Stay secure and stay backed up.