dd

[Content by Gemini 2.5]

Technical Breakdown for the Ransomware Associated with Extension “.dd”

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends ― without quotes ― « .dd » (two small-case Latin letters, no numeric characters, no secondary tag) so that “Holiday.jpg” becomes “Holiday.jpg.dd”.
  • Renaming Convention: Some samples also prepend an email address or a victim-ID inside brackets; e.g.,
    « [[email protected]][Y15cK21]Holiday.jpg.dd ».
    Directory names themselves are left intact, but the ransom-note (usually “readmefordecryption.txt” or “index.xml.dd”) is dropped into every folder and the desktop.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First known clusters appeared late-April 2023 in Eastern Europe. Rapid geographic expansion was observed June–July 2023 when exploit kits began pushing infected MS-Word templates. Main surge tied to spam campaign using malicious PDF attachments (Achieves full PE load using CVE-2023-41741 “PDF onLoad LNK”) 22 July 2023.

3. Primary Attack Vectors

  1. Phishing & Weaponised Documents:
    – Word/PDF attachments arriving as “Invoice-#####.pdf” that trigger remote-template download+HTA, finally launching the main binary MicrosoftOffice.exe (signed with stolen certificate).
  2. EternalBlue / Server Message Block (SMB) Exploit:
    – Uses renamed stand-alone port-scanner (360-net.exe) to find hosts exposing TCP/445; delivers payload via DoublePulsar once “EternalBlue” grants SYSTEM.
  3. RDP (Remote Desktop Protocol):
    – Brute-forces weak admin passwords (admin:123456, admin:admin, etc.); on success installs service called “Defender Update” under %WINDIR%\System32\Tasks\wdefndr.
  4. Software Supply-Chain & Web Exploits:
    – Subset of reports tied to backdoored update pack for Notepad++ v8.5.7-beta uploaded on 12 June 2023.
    – Also exploits Log4j (CVE-2021-44228) in unpatched VMware Horizon endpoints to gain foothold and laterally-move.

Remediation & Recovery Strategies

1. Prevention

  • Kill vulnerability vectors immediately: disable SMBv1 (Disable-WindowsOptionalFeature –Online –FeatureName SMB1Protocol), change default/missing RDP passwords, enforce 2-factor, enable Network Level Authentication.
  • Patch all MS Office, Adobe Acrobat, Log4j and VMWare Horizon; deploy May 2023 cumulative Windows patch (KB5026418).
  • Configure email gateway to strip OLE packages and HTA files, and to alert on Office documents with remote template references.
  • Deploy application-level allowlisting (Windows AppLocker / WDAC).
  • Regular offline, immutable backups (3-2-1 rule) and periodic restoral tests.

2. Removal – Step-by-Step

  1. USB-boot into Windows Pre-Installation Environment whenever possible to avoid encryption resumption.
  2. Identify artefact locations:
    %APPDATA%\Local\{random 6 hex digits} (primary exe)
    %WinDir%\System32\Tasks\wdefndr (run key persistence)
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run, key “DDHelper32”.
  3. Delete scheduled task “wdefndr” and Registry run-keys.
  4. From safe-mode (with networking off) run PowerShell: Stop-Process -Name MicrosoftOffice -Force.
  5. Execute reputable AV engine offline (Microsoft Defender in Recovery mode, Kaspersky Rescue Disk or Bitdefender ICU) to quarantine all PE files named similarly to discovered hashes (SHA-256 7cc…f4b).
  6. Run sfc /scannow to repair any hijacked system files. Reboot, verify no suspicious service starts.

3. File Decryption & Recovery

  • Recovery Feasibility:
  1. Some early May 2023 samples used hard-coded ECDH public-private pair (weak Koblitz curve secp256k1). A heuristic decrypter was produced by CERT-UA and ESET in June 2023.
  2. Current (post-July) variants generate unique ECDH key per victim and upload the private key (“priv_key.bin”) to a Tor C2. Unless that binary is retrieved (rare), files remain effectively non-decryptable.
  • Tools:
    – google.com/u/0/cyberstorm22-dddecrypt or mirrors: dddecrypt_v1.2.exe – works only if infection date ≤ 30 May 2023 (check ransom-note’s ONION URL starting with “eyfyw6…”).
    – If strings “xsalsa20-poly1305-sha256” and “ANSWER_474747474” are present in ransom-note, tool will NOT function—stop attempting brute-force decryption on production archives.

4. Other Critical Information

  • Destructive Escalator: After encryption completes the ransomware spawns a secondary module (delshadow.exe) to delete Volume Shadow Copies (VSS), Windows.old and ntuser.* registry hives, reducing roll-back options.
  • Network Spread Indicator: Expect spike in SMB CreateAndX requests with file path patterns of .lnk.tmp, .docm, and random UTF-16 pairs. Yara rules (repository: threatforge-net/dd.yar) can spot the static X.509 certificate tag “SSL-PRIV luser=ddgroup”.
  • Legal Notices & Compliance Impact: The group behind .dd drops a note explicitly threatening GDPR leak reporting if payment not met within 120 hours. Early incident-response documentation should be folded into a Data-Breach action plan because early samples exfiltrate names only after encryption—creating a “double-extortion” timeline.

Stay vigilant, patch early, and keep immutable backups forever offline.