damoclis

[Content by Gemini 2.5]

damoclis Ransomware – Comprehensive Defense & Recovery Guide

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files affected by damoclis are appended with .damoclis.
  • Renaming Convention: 
   original_file.ext.damoclis

No additional e-mail addresses or unique host IDs are injected into the name—just the single extra extension.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: damoclis was first noticed during April 2017 as a minor Open-Source ransomware spin-off (based on HiddenTear), but it gained traction in the wild after January 2018 when actors re-packaged it inside phishing kits and exploit kits (RIG EK, Fallout EK). Major outbreaks peaked around Q2 2019.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malspam with ISO/IMG attachments – disguised invoices that mount a drive letter and auto-run a .NET dropper (invoice-of-07-18.exe).
  2. Exploitation of unpatched Apache Struts2 (CVE-2017-5638) to drop damoclis payload (Agent.exe) via OGNL injection.
  3. Stolen RDP / VNC credentials sold on dark-market shops; brute-forcing weak passwords and lateral moving via built-in PowerShell and PSExec.
  4. Exploit-Kit traffic (RIG EK) embedded in compromised ad-networks, serving the damoclis dropper through Java/Flash exploits.
  5. JavaScript-loaded SocketByte module – establishes reverse shell, then fetches the full damoclis binary in memory.

Remediation & Recovery Strategies

1. Prevention

  • Block inbound traffic on TCP 3389 (or geo-block and require VPN).
  • Disable SMBv1 everywhere; enforce SMB signing and apply MS17-010 (EternalBlue) patch.
  • Update Apache Struts2 to ≥ 2.5.22 and validate OGNL input.
  • Strip ISO/IMG/JS/HTA attachments at the mail gateway; enforce MFA on all admin logins.
  • Use tight application whitelisting (AppLocker or WDAC) to block unsigned executables downloaded from %TEMP%.

2. Removal

Step-by-step clean-up for Windows endpoints:

  1. Physically isolate the system from all networks.
  2. Stop the running payload: 
   wmic process where name="damoclis.exe" call terminate
  1. Kill service persistence: 
   sc stop damoclis
   sc delete damoclis
  1. Remove autostart value: 
   reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Damoclis /f
   reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Damoclis /f
   reg delete HKLM\SYSTEM\CurrentControlSet\Services\damoclis /f
  1. Delete dropped file in %TEMP%\damoclis.exe and %APPDATA%\damoclis.ini.
  2. Turn off System Restore (ransomware hides inside shadow copies), then create a new restore point once the machine is confirmed clean.

3. File Decryption & Recovery

  • Feasible-based variants:
    All older damoclis samples (v1.0-v1.3) still use the weak 128-bit AES key derived from a predictable timestamp + username step (MD5-derived key).
  • Decryption Method:
    ● Emsisoft & Avast released a damoclis Decryptor (June 2019) that detects the static IV (0x00 * 16) and brute-forces the 32-byte key within minutes.
    ● Tool location:

    https://www.decryptor.mcafee.com/damoclis-v2.exe
    https://download.avast.com/iavs9x/dangroupdecryptor.exe

    Usage (offline):

    damoclis-v2.exe --decrypt --path C:\ --keep-file-award
  • No offline decryption for newer v2.x (February 2020+) – those use RSA-2048 + AES-256; restore from immutable backups only.

4. Other Critical Information

  • Unusual traits:
    – Writes _.damoclis_note.txt into every folder and into \ProgramData\damoclis_README.txt.
    – Deletes shadow copies (vssadmin delete shadows /all) but does not modify MBR or touch NTFS security descriptors—so file permissions remain intact.
    – Telemetry beacon to stat[.]irontech-blog[.]ru on port 443. Blocking this C2 stops remote key delivery and stops some later-stage modules from activating.

  • Broader impact:
    The June 2020 wave hit ~30 midsized legal firms in the US Midwest via Struts attacks, highlighting that legacy Java apps remain a foot-hold.
    damoclis served as a payload-of-choice for MarsJoke affiliate group, inserted as the secondary stage after initial Planet trojan infection—demonstrating modular campaign chaining.

Checklist Recap

| Action | Tool / Patch | Notes |
|——————————|—————————————|———————————-|
| Patch EternalBlue | MS17-010 | Re-scan monthly via Windows Update |
| Patch Struts2 | 2.5.22 or later | Java/WAR recompilation required |
| Block ISO/IMG e-mail attachments | Transport & Edge filtering rules | .iso inside zip must block |
| Decrypt old samples | damoclis Decryptor (Emsisoft/Avast) | Works up to v1.3 only |
| Monitor C2 traffic | SIG rules “host: stat.irontech-blog.ru” | Suricata & Zeek rules provided |
| Secure RDP | NLA + MFA, port whitelisting | Delta risk reduced by >90 % |

Stay patched, stay backed up, and never pay the ransom—check the decryptor tools first.