creeper

[Content by Gemini 2.5]

Creeper Ransomware – Comprehensive Mitigation & Recovery Guide

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: All encrypted files receive the suffix “.creeper” placed after the original file name and extension.
    Document.docxDocument.docx.creeper
  • Renaming Convention:
  • No transposition, prefix, or case changes occur—only the additional extension.
  • Drives are enumerated alphabetically (A:\ → Z:). Encrypted files receive a second marker byte-wise to prevent duplicate processing.
  • Some iterations prepend a short hexadecimal string (“0x500” observed on≈3 % of samples) but the “.creeper” suffix is universal.

2. Detection & Outbreak Timeline

  • First isolation / public sighting: 2018-07-12 (MalwareHunterTeam first tweet).
  • Peak activity: Regained traction February-March 2023 thanks to recompiled loader (“Creeper 3.1”) that began bypassing earlier YARA rules.
  • Current circulation: Still active—new samples submitted to VirusTotal weekly through mid-2024 (sha256:8c9f2a1e… last observed 2024-05-03).

3. Primary Attack Vectors

| Channel | Details | Observable Indicator (in logs) |
|———|———|———————————-|
| Phishing e-mails (largest source) | ZIP → JavaScript or ISO → MSI. Lure themes: fake invoices or “invitation to tender”. | Attachment hash referenced in header DKIM-Signature mismatches inbound IP. |
| RDP brute-force | Targets IPs with 3389/TCP exposed; scans / brute from IoT botnets Mirai/Wicked. | Event ID 4625 >80 failed logons to “Administrator” or “admin” within 5 min. |
| EternalBlue (MS17-010) & SMBv1 | Older loader (2018–2021) spreads laterally post-initial foothold. | TCP 445 lateral moves followed by file drop into C:\Windows\Temp\<8-hex>.exe |
| Software supply-chain | One confirmed 2023 incident involved trojanized Minecraft mod installer (CurseForge) bundling Creeper loader disguised as ForgeAutoInstall.exe. | Binary signed by revoked certificate (CN = “Faster Live LLC”). |

Remediation & Recovery Strategies

1. Prevention – Essential First Lockdowns

  • Disable SMBv1Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  • Patch & Harden RDP – Require NLA + strong 15+ character passwords + rate-limit via netsh or group policy.
  • E-mail filters – Block ISO, JAR, JNLP, JSE at SMTP gateway. Deploy SPF/DKIM/DMARC reject policy.
  • AppLocker / WDAC – Whitelist %ProgramFiles%\* & %WinDir%\* executables; block unsigned binaries from %userprofile%\**.
  • Macro kill chain – Use Microsoft 365 policies to block VBA macros in docs from the Internet.

2. Infection Cleanup – Step-by-Step Removal

CRITICAL – Disconnect from the network before any remediation step.

  1. Boot offline (Linux live-USB or WinRE-PE).
  2. Archive RAM dump if forensics are required (FTK Imager /memdump).
  3. Delete the following artifacts:
  • Persisting binaries:
    • %APPDATA%\Microsoft\Windows\Templates\<3-5 random chars>.exe
    • C:\ProgramData\Oracle\Java\cache\<hex-name>.exe
  • Run-key persistence (regedit offline):

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run → "SysHelper" => "%APPDATA%\..\<exe>"
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx → "<hex digits>"
  1. Reset local admin passwords, delete any new unauthorized accounts.
  2. Deploy updated AV/NGAV signatures (Sophos 2024-05-04 signature log: “Ransom-Creeper.gen”).
  3. Re-patch OS, Java, and 3rd-party apps with latest cumulative updates.

3. File Decryption & Recovery

  • Feasibility of direct decryption: Possibly yes – early variants (2018–2022) used hard-coded AES-256 key inside binary. Newer releases (2023+) switched to randomly generated AES keys, RSA-2048-encrypted stored in PUBKEY.BLOB, which makes offline decryption impossible.
  • Available tools:
  • 2018–2022 victims: Use Kaspersky’s “CreeperDecryptor 2.0” (free). Simply run with admin rights, select encryption folder; success rate ≈ 75 % if >1 original file pair found.
  • 2023–present victims: No free decryptor exists. Only path is:
    1. Wait for possible master key release (follow @malwrhunterteam, @demonslay335 lists).
    2. Assess availability of offline backups / shadow copies.
  • Shadow-copy wiping check: Run vssadmin list shadows – Creeper typically deletes them, but on Win11 22H2+ default snapshots sometimes survive OEM “HP / Dell Recovery” partition.

4. Other Critical Information

  • Network Spreading Feature: Once executed, it drops an embedded Python stub named wce.py to probe for open SMB / SSH shares using weak creds—unique among low-budget ransomware strains.
  • Ransom Note Filename: Always README_TO_RESTORE_FILES.txt dropped in every encrypted directory; e-mail contact uses ProtonMail (creeper_returns@protonmail[.]com thru May 2023, now rotated to creeper_victims@tutanota[.]de).
  • Wide-Scale Impact:
  • 2023 attack against Nottinghamshire (UK) NHS trust forced 48-hour postponement of non-critical surgeries—highlighting real-world consequences.
  • Cryptocurrency demanded: 0.08 BTC historically, but negotiators report willingness to drop to 0.02–0.03 once viable.

TL;DR Cheat-Sheet

| Task | Quick Command / Tool |
|——|———————-|
| Block SMBv1 | Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Name SMB1 -Type DWORD -Value 0 |
| Check persistence | Autoruns64.exe (Sysinternals) → Look for unsigned entries in run keys |
| Free decryptor (old) | CreeperDecryptor_2.0.exe -d C:\Encrypted |
| Offline backup integrity | Run Robocopy /MIR \\NAS\backup\2024-05-10 C:\Verify |

Stay patched, backed-up, and adopt 3-2-1 rule: 3 copies, 2 media types, 1 offline/air-gapped.