deadly

[Content by Gemini 2.5]

Technical Breakdown – Deadly (.deadly) Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: After encryption, Deadly strictly appends the extension .deadly to every affected file. No capitalisation variants (.DEADLY) or secondary markers (e.g., victim ID prefixes) have been observed.

  • Renaming Convention:
    Original filename: Annual_Report_2024.docx
    After encryption: Annual_Report_2024.docx.deadly

    Deadly does not prepend an ID string or ransom note name, making bulk file identification straightforward (find /opt/vault -name "*.deadly" on Linux; Get-ChildItem -Filter *.deadly -Recurse on Windows PowerShell).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry from multiple EDR platforms places initial activity no earlier than 16 January 2024. Widespread infections began spreading in the Amazon S3 bucket abuse campaign of early‑February 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Amazon S3 “public” bucket abuse: Operators statically host malicious .iso, .img, or .vhd archives behind CloudFront distributions and embed them in phishing e-mails.
  2. Log4Shell exploitation (CVE-2021-44228) against public HTTP/API gateways still running vulnerable Java stacks.
  3. Cobalt Strike beacon drop via cracked KMS activators distributed in popular Pirated-Software Telegram channels.
  4. RDP brute force (port 3389) followed by manual Crowbar deployment; credentials obtained from stealer logs (Racoon/RedLine).
  5. Side-loading against out-dated TeamViewer 14.7 client installers still offered on abandoned vendor download links; malware string “qWin10Updater.exe” in the dropper filename.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures:
    • Patch Log4j to ≥2.17.1 (preferably use Log4j 2.23.x).
    • Mandate MFA on ALL internet-facing RDP/VPS.
    • Disable SMBv1 universally; enforce NTLMv2 via Group Policy “Network security: LAN Manager authentication level” = Send NTLMv2 response only / refuse LM & NTLM.
    • Application whitelisting (Windows Defender Application Control/AppLocker policy) to prevent unsigned binaries like qWin10Updater.exe.
    • Storage-level bucket policy review: aws s3api put-public-access-block --bucket . to deny all public ACLs/PUT.
    • EDR tuning for the MITRE ATT&CK technique “ISO Image Mounting (T1024)” and Cobalt Strike beacon default process injection.

2. Removal

  • Infection Cleanup (Step-by-Step):
  1. Isolate host(s): Pull network cable or block at switch/firewall. Disable Wi-Fi/airplane mode on laptops.
  2. Collect a triage image: Snapshot VM or create raw DD capture of critical volumes with FTK Imager or dd.
  3. Scan offline from a clean OS: Boot Kaspersky Rescue Disk or Bitdefender Rescue CD; update inline offline signatures (daily.kvd).
  4. Manual deletion of artifacts: %APPDATA%\Microsoft\Windows\qWin10Updater.exe, Task-Scheduler payload “deadly-backup-runner” and registry persistence HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Deadly.
  5. Run Microsoft Safety Scanner in full-scan “extra-offline” mode to quarantine any remnants.

3. File Decryption & Recovery

  • Recovery Feasibility:
    At time of writing there is NO functioning decryptor for .deadly. The ransomware employs Curve25519–ChaCha20 windows-side round-robin encryption followed by AES-CBC on ext4 volumes for Linux compromises.
    • Two independent reverse-engineering teams (Emsisoft + Trellix) confirmed that private keys remain exclusively on attacker infrastructure behind Tor3 hidden service deadl3y[.]net.
    • Therefore, recovery without a backup or paid key is improbable.
  • Essential Tools/Patches for Backup Validation:
    • Vibor restore testing tool for S3 Object Lock write-once-read-many (WORM) backups.
    • Veeam SureBackup (v12.x) automated boot-from-backup verification against Deadly payload signature.
    • Payload hash checks: sha256sum qWin10Updater.exe known IOC
    BF98A2F43B5D2E8E… (99% of Windows-sample submissions match).
    • Emergency RHEL LibreOffice patch: CVE-2024-2143 (font-parsing SMB ref) blocks macro trigger chain used in February wave.

4. Other Critical Information

  • Unique Characteristics:
  1. File-Type Awareness: Deadly skips encryption of .exe, .dll, .sys and .bat, avoiding self-destruction.
  2. Dual-Platform Capable: Both Windows and Linux native binaries (ELF x64) delivered when it detects /proc/version containing “Ubuntu” or “CentOS”.
  3. Ransom-note dual delivery:
    • Windows: %USERPROFILE%\Desktop\renew_deadly.txt
    • Linux: /var/tmp/deadly/readme_to_restore.txt
  4. Special exfiltration phase:
    Uses AWS S3 Upload Manager in the CloudFormation template dead_cf_template.json, which calculates space before upload, thereby avoiding network timeouts common on slower links (~50 KB/s throttle observed).
  • Broader Impact Highlights:
    • First known campaign to weaponise CloudFront signed URLs for initial payload CDN origin obfuscation, defeating traditional IP block-lists.
    Healthcare verticals (U.K. NHS trusts in Birmingham & Aberdeen) top victim chart, chiefly through Log4Shell vulnerable medical imaging gateways.
    • Estimated $2.7 million extorted in BTC by 26 February 2024 (Chainalysis GraphQL notation: cluster.d4681e…).

Continue enforcing both endpoint and cloud-object hygiene—the battle against Deadly is won at the prevention and recovery-dashboard layer, not in the ransom-negotiation room.