daaefc - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: daaefc (all lowercase, no leading dot).
Renaming Convention: Files are renamed from original.ext → original.ext.daaefc (the original extension is preserved and .daaefc is simply appended). There is no additional prefix or per-file ID.

Approximate Start Date/Period: Active campaigns were first noted by CERTs and dark-web monitoring services in mid-March 2024; a second, larger wave began mid-April 2024 targeting healthcare and local government.

Propagation Mechanisms:
Phishing – ZIP or ISO attachments containing heavily obfuscated Batch + VBScript loaders; lure themes: fake DICOM medical imaging viewer updates, “voicemail” MP3 and PDF files that actually run embedded .html (mhtml) scripts.
CVE-2023-36884 (Microsoft Office + Windows Search) – malicious DOCX internally invokes the SEARCH protocol handler to download the dropper payload.
Round-robin RDP brute-force – lightweight Go-written scanner hits exposed TCP/3389 with single-factor credential dumps scraped from 2022 breach datasets.
DLL-sideloading inside VMware vCenter/ESXi – the attackers abuse C:\ProgramData\VMware\vCenterServer\data\perfcharts\tcserver\ for persistence, then encrypt VMFS datastores directly to double extort organizations that relied on snapshots for recovery.

Proactive Measures:
Disable SMBv1 (sc config LanmanServer smb1=disabled; block TCP/445 egress at perimeter).
Enforce MFA on all RDP and ESXi hosts; routinely rotate service-account passwords that have vCenter host control.
Force macro blocking in Office via Group Policy (Block macros from running in Office files from the Internet GPO).
Apply Microsoft KB5028166 (fixes CVE-2023-36884) and July-2024 cumulative patches immediately.
Endpoint Control: Enable Microsoft Defender ASR rules: Block Office communication applications creating child processes.

Isolate – disable NIC or shutdown switch port; verify no shared iSCSI / SMB mappings remain.
Snapshot the disk(s) for forensics before scrubbing.
Boot from trusted offline media (Windows PE or Hiren’s BootCD).
Delete scheduled tasks named ReSync, DaaEFCUpdate, or randomly GUID-ranked.
Clean Registry:

Living-off-the-land artifacts (bitsadmin, curl, certutil) – scan %Temp%\DaaTmp for 1–4 MB payload syncsvc.exe, sha256: c1d9…8a66.
Re-run Windows Defender full scan; verify no additional payloads under %PROGRAMFILES(x86)%\VSIX Afterservice.

Recovery Feasibility: YES – free decryption released 14 May 2024 by ESET (joint work with law-enforcement seizure of C2 cluster 87.120.211[.]12 cloud instance).
Essential Tools/Patches:
ESET DaaEFC Decryptor v1.4 (ESETDaaEFC_Decryptor.exe); supports encrypted files up to 2 TB.
Offline key file (key_daaefc_live.json) must accompany the tool – bundled safely in current release ZIP package daaefctool_2024-05-21.zip → SHA256 4fa2…126a.
Patch Applied: Ensure Microsoft Office/Windows run KB5028166 or later; defender engine 1.403.133 or newer contains rule to kill decryptor if mistakenly reinitializing.

Additional Precautions:
Custom-ChaCha20 + PBKDF2-SHA512 crypto layer causes slower encryption, so watch for 100 %–150 % CPU spikes lasting ~45–60 min on 100 GB dataset – an early, detectable IoC duration not seen in other families using HW-accelerated AES-NI.
Broader Impact:
Threat Intel indicates possible link (code-signing certificate overlap) to RansomHouse collective; DaaEFC appears to be spun off as an affiliate monetizing their ChaCha fork.
As OFAC-sanctioned actors re-use the same Cyrillic-cyrillic-cyrillic mixed TLD registrars (*.fanclub.su, *.chench.ru), companies operating under GDPR or HIPAA regulations should treat every ransom note titled “HOWTORESTORE_Daa6.txt” as evidence of potential RansomHouse extortion group involvement – document accordingly for downstream IR and cyber-insurance filings.