DEADFILES RANSOMWARE – COMMUNITY RESOURCE SHEET

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of File Extension: .deadfiles
Each affected file is simply suffixed with “.deadfiles”, keeping the original base name and pre-existing extension unchanged.
Example:
Budget_Q3_2025.xlsx → Budget_Q3_2025.xlsx.deadfiles

2. Detection & Outbreak Timeline

• Approximate First Detection: 14 November 2023 (initial telemetry from Eastern Europe via MalwareHunterTeam).
• Rapid Escalation: Geo-expansion peaks in December 2023 when exploit campaigns began chaining ProxyShell + ProxyLogon spear-phish attachments.

3. Primary Attack Vectors

Propagation mechanisms observed in the wild, in descending order of prevalence:

1. Phishing e-mails with double-extension payloads (PDF.EXE, DOCX.JS) containing zipped .ISO or .IMG files.
2. Exploitation of un-patched Microsoft Exchange servers
   • ProxyLogon (CVE-2021-26855…27065)
   • ProxyShell (CVE-2021-34473, 34523, 31207)
   • Automatic web-shell deployment (China-Chopper variants) followed by Cobalt-Strike beaconing that drops DEADFILES.
3. Compromised RDP or VPN credentials (especially SonicWall/ Fortinet appliances) – lateral WMI/PSExec afterwards.
4. Software vulnerability chaining: While not using SMBv1/EternalBlue, DEADFILES operators routinely patch-out competing malware then move laterally with legitimate tools (RDP, AnyDesk, PDQ Deploy).

Remediation & Recovery Strategies

1. Prevention

• Patch immediately: MS Exchange July 2023 security roll-up, current SonicWall/Fortinet firmware, Java/OpenSSL, and enable “Extended Protection” for Exchange.
• Disable VBA macros by default (Group Policy), and mark all e-mail attachments from external senders as High-Risk.
• Enforce MFA for all external-facing services (Exchange OWA, VPN, RDS Gateway).
• Restrict lateral movement: block SMB/135/445 outbound from user VLANs, use Windows LAPS for local admin rotation.
• Segment high-value servers into separate VLANs; use Windows Firewall to only allow required ports (1433, 443, 25, 993) from specific jump-boxes.
• Backups: immutable off-line copies (Veeam without direct network connection) with 3-2-1 rule; weekly restore tests.

2. Removal – Step-by-Step

1. Isolate the victim system
   • Physically unplug or disable Wi-Fi/NIC.
   • Snapshot physical disk/VM for forensic triage before wiping.
2. Boot into Safe Mode with Command Prompt or WinPE if boot locking occurs.
3. Use Microsoft Defender Offline or Kaspersky Rescue Disk to identify:
   • Primary dropper: %TEMP%\Setup.exe (initial file),
   • Payload: C:\ProgramData\OracleJava\javaw.exe,
   • Scheduled task: ScheduledUpdate.
4. Delete persistence keys
   • Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → JavaUpdate value.
   • Scheduled Task: \Microsoft\Windows\Application Experience\ServicesUpdate.
5. Clean remnants with ESET or Bitdefender Rescue ISO – both include full DEADFILES signatures for post-reboot clean-up.
6. Verify integrity – run sfc /scannow and Windows Defender “Full Scan” after normal boot.
7. Only then reconnect to network to pull latest OS patches and AV definitions (prevents re-infection).

3. File Decryption & Recovery

• Decryption feasibility: Not possible at this time. DEADFILES uses AES-256 in CBC mode with unique 256-bit keys randomly generated per file, and the master private RSA-4096 key is held offline by operators.
• No working decryptors have been released by law-enforcement or security vendors. Any site claiming otherwise is a scam.
• Restoration path: Clean re-image, update fully, then restore only from verified offline or immutable backups/manual date-before-infection.
• Shadow-copy recovery: DEADFILES deletes vssadmin shadowstorage, vssadmin delete shadows and uses bcdedit /set {default} recoveryenabled no; therefore VSS is not reliable.

4. Other Critical Information

• Typical ransom note: RESTORE_FILES_INFO.hta and README.TXT placed on desktop & encrypted directories.
• Note key ID (alphanumeric 8-bytes) is required if paying (never advised) but will not actually guarantee correct key.
• No data exfiltration seen so far—pure “encrypt-and-pay”, reducing double-extortion appeal.
• Anti-analysis quirks:
• If Russian or Ukrainian keyboard locale detected the payload exits immediately.
• Deletes itself if executed inside common virtualization detection strings (“VirtualBox”, “VMware”, “Parallels”).
• Broader impact: DEADFILES is a direct descendant of the discontinued “GlobeImposter 2.0” platform and now rebranded by a prolific Russian-speaking affiliate group repeatedly blogged under the “Trigona” cluster (malpedia: trigona-ransom); early targeting healthcare in Poland before sweeping financials in North and South America.

Tools & Patches Checklist

• Microsoft Exchange cumulative update (CU) and Extended Protection:
https://aka.ms/ExchangeSecurityUpdates2023
• Windows RDP hardening guide (NIST SP 800-68r4):
https://csrc.nist.gov/publications/detail/sp/800-68/rev-4/final
• Third-party password-spray mitigations – Azure AD Password Protection + LAPS.
• Offline bootable scanners:
– Kaspersky Rescue Disk 2024
– Bitdefender Rescue CD (v2024.02)
– ESET SysRescue Live (v1.0.24)
– Microsoft Defender Offline (Windows Security → Virus & Threat Protection → “Scan options” → “Microsoft Defender Offline scan”).

Keep signatures updated daily. The lack of a free decryptor makes offline, tested backups the single most effective counter-measure against DEADFILES.