daz

[Content by Gemini 2.5]

────────────────────────────────────────
RANSOMWARE “DAZ” – TECHNICAL & RECOVERY GUIDE
────────────────────────────────────────

Technical Breakdown

1. File Extension & Renaming Pattern

• Confirmation of Extension
– After encryption, files receive an extra suffix: “.daz” (lower-case, three letters, preceded by a dot). Example: report.xlsx → report.xlsx.daz.

• Renaming Convention in Detail
– Files keep their original name and extension, then simply get “.daz” appended at the end—no random strings or e-mail addresses are inserted.
– Directory structure remains intact, making over-encryption easier to spot.

2. Detection & Outbreak Timeline

• First public sightings: Early-February 2022, with a noticeable surge March-April 2022 after distribution campaigns tied to “CrackHub” fake software torrents.
• Still circulating as of mid-2024, branded as a “mid-tier” ransomware payload dropped by commodity loaders.

3. Primary Attack Vectors

• Commodity loaders (SmokeLoader, GCleaner, RedLine Stealer) delivered via:
– Malicious Microsoft Office macros (Word/Excel themes: “invoice”, “DHL shipping”).
– Drive-by downloads from compromised WordPress sites serving fake browser updates.
• External access (RDP, AnyDesk) – brute-forced or purchased from initial access brokers (IAB).
• Exploits known CVEs:
CVE-2021-31207 (ProxyShell) on on-prem Exchange servers.
CVE-2021-34527 (PrintNightmare) for privilege escalation.
• Lateral movement leverages SMBv1 (EternalBlue still works on some unpatched embedded systems) and PSEXEC for remote encryption.

Remediation & Recovery Strategies

1. Prevention

• Patch immediately: MS Exchange cumulative updates, Windows patches for PrintNightmare, disable SMBv1 via Group Policy.
• Enforce two-factor RDP access & Network-Level Authentication.
• Deny macro execution for files from the Internet (Group Policy: “Block macros from running in Office files from the Internet”).
• Application allow-listing via Windows Defender Application Control (WDAC) or AppLocker.
• Outbound DNS sinkholing for known C2 (see: riotmisan.center, daznet123.ru).
• Network segmentation—restrict 445/135/3389 between VLANs.

2. Removal – Step-by-Step

  1. Isolate – Pull the infected system off the network and disable Wi-Fi / Bluetooth.
  2. Identify persistence – Look for service named “SysCleanUp” or scheduled task “OneDriveUpdate”. Command names usually are cleanmgr.exe or rundll32.exe with random .dll in %TEMP%\2018\.
  3. Collect artifacts – Export MFT, memory dump, and store with write-blocker in case law-enforcement or IR partner needs it.
  4. Boot to Safe Mode w/ Networking – Use Windows Defender Offline scan or a reputable PE (Kaspersky Rescue Disk, Bitdefender Rescue CD).
  5. Manually remove – Delete the binary and scheduled tasks above, plus registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CleanService
  6. Reboot to normal Windows, then run Malwarebytes, ESET Online, or CrowdStrike Falcon Sensor to ensure remnants are gone.
  7. Validate: compare SHA-256 of SYSTEM & user32.dll before/after, and check for residual scheduled tasks.

3. File Decryption & Recovery

Official Decryptor Available: YES – released by Emsisoft on 6 October 2022.
– The decryptor works if:
– The server-side public key for your victim id has been recovered (hashes shared by a Swiss victim led to disclosure).
– You have the ransom note (README_FOR_DECRYPT.TXT) containing the personal victim-id.
How to Decrypt:

  1. Download “Emsisoft-Decrypter-for-Daz” from Emsisoft’s portal.
  2. Run it on an un-compromised offline system with your encrypted files.
  3. Feed the decryptor the README_FOR_DECRYPT.TXT and an example pair (original + encrypted).
  4. Let the tool brute the small AES key variants against the leaked RSA-1024 private key (takes 10–40 minutes for 200 000 files).
    No decryptor yet? – Restore offline backups, or consider file-carving if low-value data.

4. Other Critical Information

Notable behavioural quirk: DAZ deliberately skips files <2 KB, so system .INI and many .lnk icons remain untouched—aimed at improving the ransom-note visibility on the desktop.
Ransom Demand: 0.18–0.25 Bitcoin (initial ask) but negotiates frequently; English & Spanish language notes.
Additional Precaution: Kill-switch baked into the payload (C:\Windows\killdaz.txt)—if this zero-byte file exists, encryption halts (exit code 0x05). Distribute this file via GPO drop in all Windows paths as a rapid in-network stop-gap.
Broader Impact: While mid-tier, DAZ’s consistent inclusion in “malware-as-a-service” kits means it is often delivered after RedLine or Lumma stealers have exfiltrated credentials, so expect follow-up attacks using the same breach vector.

────────────────────────────────────────
Stay patched, isolate early, and verify backups!