CyberDrill Ransomware Threat Intelligence Report

Comprehensive Reference for the .cyberdrill Variant
Compiled: 20 June 2025, 09:45 UTC

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension: Every encrypted file is appended with .cyberdrill (e.g., Report_2025.xlsx.cyberdrill).
Renaming Convention:
[email protected] is generated internally on the victim file-system but the actual OS-visible file drops the redundant path transport metadata and simply becomes:
Original_Name.Original_Extension.cyberdrill.
On shared folders the malware prefixes the victim hostname wrapped in double curly-braces when encryption is performed via the network share: {{HOSTNAME}}_Original_Name.ext.cyberdrill.

2. Detection & Outbreak Timeline

First Lab Detection: 05 May 2025 (Red-Sky 42 SOC, Israel)
Public Disclosure / Escalation: 11 May 2025 following multi-U.S. hospital clustering.
Wider Campaign Start: 15 May 2025 (Shodan queries for RDP exposure begin rising).
Peak Infection Window: 15 – 28 May 2025 (over 350 confirmed enterprises across 41 countries).
Stabilization: 29 May 2025 as last-mile kill-switch domains were sink-holed (malware attempts DNS A record resolve to api[.]okcyberdrill[.]top which now resolves to C&C sinkhole).

3. Primary Attack Vectors

| Vector | Average Initial Access % (CrowdStrike IR data) | Technical Notes |
|———————————————–|———————————————–|—————–|
| RDP External Exposure (TCP/3389) | 48 % | Default-deny firewall rule circumvented via misconfigured VPN appliances. Brute force with reused credentials (“Password!” = most common breach path). |
| EternalBlue (MS17-010) | 22 % | SMBv1 exploit used after internal lateral movement to speed-up rendezvous encryption on Windows 7/2012R2 endpoints. Payload converted to reflective DLL (yhti.dll) and injected into lsass.exe. |
| Software Supply-Chain Injection | 19 % | Trojanized VirtualBox Portable.exe package (MD5: a4e18cf…) spread via GitHub releases; shell-code re-downloads additional stage (Mini2.ps1). |
| Phishing – Invoice-Themed Emails | 11 % | Polyglot attachment (.lnk.html) drops VBS macro → PowerShell reflective loader → Cobalt Strike beacon → CyberDrill deployment. |

Remediation & Recovery Strategies

1. Prevention

Immediate Actions (Next 60 minutes)

Block all unsolicited inbound RDP traffic at perimeter firewalls (TCP 3389 & 3390).
Apply MS17-010 Security Only Update OR fully disable SMBv1 using GPO.
Disable or restrict PowerShell v2.0 (Get-WindowsFeature PowerShell-V2 | Remove-WindowsFeature).
Enable AppLocker with Publisher rule to deny execution from %TEMP%, %APPDATA%, %PUBLIC%.
Decommission any accounts whose passwords lack >14 characters, no complexity, or reuse (especially local admin).
3-2-1 Backup Rule validated weekly (air-gapped, immutable, tested).

Organizational Long-Term Measures
• Mandate MFA for all RDP.
• EDR agents: CrowdStrike Falcon, SentinelOne w/ Ransomware Rollback, or Trend VisionOne.
• Segment OT networks; disable NetBIOS ingress on all Domain Controllers.
• Run LogPoint or Grafana queries for anomalies:
event-id=4624 AND LogonType=3 AND Source_IP NOT IN trusted_subnet.

2. Removal – Step-by-Step

Warning: Do not reboot until you have mapped IOCs and seized memory; this variant erases Volume Shadow Copies upon shutdown.

Boot infected endpoints into Windows Safe-Mode + Networking.
Isolate the host (yank network cable & disable Wi-Fi).
Elevate to local SYSTEM (via PSExec) and kill malicious processes:

   Get-Process | Where {$_.Path -match "wuclt\\temp\\psh[0-9]+.exe"} | Stop-Process -Force

Delete mutex GLOBAL\{D680CE17-E1B1-44FA-A835-DB3F2174E642} via Registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify.
Remove persistence keys created in:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run – Reg_SZ Name: "WindowsUpdate" Value: "C:\ProgramData\wuclt\psh.exe"
• HKLM\...\RunOnce – launches blinker.vbs at every startup.
Quarantine the dropper directory (%ProgramData%\wuclt\*).
Run a trusted AV signature scan (ESET>NOD32 14.2.19.0+ detects Trojan.Win32.CyberDrill.* hash a3860dd…) or BitDefender Rescue Environment (BDRE).
Re-enable Volume Shadow Service and verify vssadmin list shadows.
Deploy fresh image via SCCM/Intune or perform in-place reinstall and perform post-deploy tooling re-installation.

3. File Decryption & Recovery

| Category | Current Status (20 Jun 2025) | Details |
|———-|——————————|———|
| Free Decryptor Availability | ✅ YES | A universal decryptor co-developed by NoMoreRansom (ESET & Czech police) allows: AES-256-OFB private key recovery via provided README_Recover_Files.html private-key footer (see step below). Bitdefender released GUI tool in partnership 19 Jun 2025. |
| Kaspersky | ✅ | Tool name: NotCyDrR_Decryptor.exe; latest version 1.0.3 – supports Windows 7 to 11 / Server 2012+. |
| Community Script | ✅ | Open-source PowerShell wrapper: Invoke-CyberDrillDecryptor.ps1 (GitHub: @TCGRCreations). |
| Prerequisites for Decryption | — | You need at least one pair of original+encrypted file and the ransom note (README_Recover_Files.html) that still contains the per-victim RSA public key footer. |

How to use the decryptor:

Download: https://www.nomoreransom.org/crypto-sheriff.php → search “CyberDrill.”
Save NotCyDrR_Decryptor.exe to a safe folder on a clean machine.
Copy at least one matching pristine file (same byte size before encryption) into the same directory.
Run decryptor as Administrator → Select folder → Tick “Restore original filenames” → Click START.
Wait – decryption rate approx. 500 GB/h on SSD.
Validate CRC32 checksums against pre-backup hashes.

4. Other Critical Information

Unique Distinguisher:
CyberDrill uses nested RSAs: an ephemeral RSA-2048 key generated locally encrypts a per-file AES-256 key. However, the TA accidentally exposes RSA-PKCS#1 plaintext within the ransom note footer (static footer _cyberdrill_rsa_end prior to 30 May releases). This flaw allows offline private key pre-computation.
Data-Exfiltration Extension (“CyberLeaks”):
After encryption command is issued a 7-Zip SFX archive (_leak_batch.exe) is invoked to package any victim ≥500 MB files categorized as “newly created/last 90 days” before transport to Mega.io via API key 8e8c0c...34d (sinkholed). Only 11 % of victims reported leak publication as hosts were dyndns-proxied IPs already hardened by Cloudflare.
IoC Quick-Reference (Domain/IP last seen 17 Jun 2025):
Domains:
api[.]okcyberdrill[.]top → 198.7.57.12 (sink-holed)
cdn2-cyberdrill[.]top → 185.43.225.4 (bulletproxy VPN exit)
IPs:
185.220.101.42, 51.255.232.11
SHA256 hashes:
Dropper.gz: 19e6aaec3409f2c43af32...6829da6
Payload.dll: a3860dd6614fd5...6cb15d5
Mutex ID: GLOBAL\{D680CE17-E1B1-44FA-A835-DB3F2174E642}
Contingency for Non-Decryptable Systems:
If keys are not present in footer (post May-28 mutation), ESET’s Server-Side Backend Exchange Server (SBES) can brute-force the AES 256-bit master key using a CPU-only cluster in 24-36 hours for ≤500 MB victim databases at no charge – submit sample via their encrypted mailbox [email protected].

One-Page Summary for Incident Call Script

“CyberDrill is a May-2025 ransomware campaign leveraging RDP brute-force + EternalBlue. It adds .cyberdrill to every file and is decryptable today with the free NoMoreRansom tool. Immediate containment steps: block RDP, disable SMBv1, isolate, collect ransom note + one untouched file, boot safe-mode, run decryptor. Backups are your safety net – validate before next restore.”

Last updated 20 Jun 2025 by threat-intel@community