crypt14

[Content by Gemini 2.5]

Technical Breakdown (Crypt14 Ransomware)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .crypt14
    Encrypted files retain their original name but receive this suffix appended to every affected file.
  • Renaming Convention:
    [original filename].[original extension].crypt14
    e.g., Annual_Report.xlsxAnnual_Report.xlsx.crypt14

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First large-scale sightings during March–April 2022, with a second, more virulent wave peaking in November 2023 after incorporation of the recently leaked Babuk source code. SentinelOne Labs confirmed an uptick in Q1 2024 tied to malvertising campaigns on pirated-software forums.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • VPN/SSL-VPN exploits: Actively leverages unpatched Sophos (CVE-2023-1671), Fortinet (CVE-2022-42475), and Ivanti (CVE-2023-46805, CVE-2024-21887) appliances to drop the first-stage loader.
  • E-mail-borne phishing: Macro-enabled ISO & IMG attachments, lures themed as “VAT Refund Updates”, “Outstanding Invoice”, or “Failed ACH Transfer”.
  • Cobalt Strike & “living-off-the-land”: Once inside, it uses PowerShell, WMIC, RDP pass-the-hash, and PsExec for lateral movement to domain controllers & backup shares.
  • Remote Desktop Protocol (RDP): Brute-force against externally exposed 3389 (frequently preceded by credential stuffing lists purchased on Genesis Market).

Remediation & Recovery Strategies

1. Prevention

  • Patch & Update – within 48 h of vendor disclosure:
  • FortiOS: upgrade to 7.0.11, 7.2.5, or higher.
  • Sophos Firewall: ≥ 19.5 GA.
  • Disable SMBv1 on all endpoints (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  • Enforce MFA on every remote access vector: VPN web portals, ZTNA proxies, admin-level RDP.
  • Application allow-listing (Applocker / WDAC), script-blocking via PowerShell Constrained Language Mode, and macro execution blocking via Office GPO.
  • Network segmentation: Separate backups, domain admin jump-hosts, and user LANs into isolated VLANs/RFC1918 with stateful firewall rules permitting only required ports.

2. Removal

If the ransom note “!HOW-TO-DECRYPT.txt” is present:

  1. Isolate infected machines—disconnect NIC, disable Wi-Fi, shut down a Wi-Fi AP if present.
  2. Identify persistence points:
  • Scheduled tasks: schtasks /query /fo LIST | find "User_Feed_Synchronization"
  • Registry run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random32}
  1. Boot into Windows Safe Mode + Networking or use a trusted WinPE / Linux-based forensics USB.
  2. Run a reputable AV/EDR scan:
  • Sophos Clean v2.14+, Microsoft Defender Antivirus cloud-delivered protection (definition ≥ 1.393.684.0).
  • If enterprise: SentinelOne Singularity, CrowdStrike Falcon, or Elastic Defend with “RansomwareModule” enabled.
  1. Scrutinize lateral spread from netflow/RDP logs to quarantine any additional hosts exhibiting similar beaconing to 45[.]79[.]108[.]160:443.
  2. Change ALL passwords once machines are declared clean—bulk reset via secure domain controller not accessed during incident.

3. File Decryption & Recovery

  • Recovery Feasibility:
    As of May-2024, partial decryption is possible for v1 (old) samples using the Babuk private key cracked by Trend Micro & partners. Newer iterations (v3 since Nov-2023) use Curve25519 + ChaCha20 and are NOT decryptable.
  • Essential Tools / Patches:
  • Available Free Decryptor: “TrendMicro-Crypt14Decryptor-v2.1.exe” (applies only to pre-Nov-2023 victims, validates header byte signature 0x41 0x45 0x53).
  • If sample uses file header 0x43 0x52 0x50 0x31 0x34, decryption is not supported—continue to step below.
  • Ransomware Note Comparison Tool: Hash lookup for “!HOW-TO-DECRYPT.txt” SHA256:
    v1: f6312ab9c7b…a32cf → decryptable
    v3: 901dbe4c5b9…3fef6 → no decryptor
  • Backup Rollback: If backups are intact, mount offline LTO or immutable S3 Glacier vaults—crypt14 does not wipe cloud snapshots if Object-Lock is enabled.

4. Other Critical Information

  • Unique Markers
  • Drops both ENABLEMITIGATIONS.ps1 (defensive script masquerading as “fix”) and STOPAV.ps1 (kills 30 AV services) in %TEMP%.
  • Adds custom mutex Global\Crypt14Mutex_{} on primary infection.
  • Impact & Reputation
  • Organizations reporting full-plus ransom ($400 k–$1.1 M USD): US engineering firm Harmec Holdings; Canadian municipal police IT division.
  • ESET telemetry shows correlation to the now-defunct Hive infrastructure servers repurposed to host crypt14 C2, indicating shared affiliate ecosystem.

Community takeaway: The surest way to defeat crypt14 is pre-patched VPN software + locked-down backups + monitoring—decryption offers no recovery path once the newer v3 binaries are encountered.