death_of_shadow

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends each encrypted file with “.deathofshadow”
    Example: report.xlsx → report.xlsx.death_of_shadow
  • Renaming Convention:
  • The original filename and extension are kept intact—only the new ransom extension is appended.
  • Folders that contain at least one encrypted file also receive a ransom note named HOW_TO_RECOVER_FILES.txt, placed at every directory level.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First submissions to public malware repositories and dark-web ransom trackers were observed in mid-April 2023; titular campaigns surged through July-September 2023 before settling into geographically focused bursts through Q4 2023.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing e-mails containing ISO or MSI attachments—often an invoice or shipment-delay lure.
  2. Exploitation of public-facing services:
    • CVE-2022-26134 (Confluence OGNL Injection) – initial foothold into DMZ hosts.
    • Log4Shell (CVE-2021-44228) on outdated VPN appliances.
    • **Cracked RDP credentials or vulnerable RDP ** (TCP/3389) brute-force campaigns followed by lateral movement once inside.
  3. Malicious software bundles masquerading as pirated games or productivity cracks (macro-enabled Excel maldocs inside ZIP).
  4. SMBv1 exploits (EternalBlue) and LSASS memory dumps once initial access is achieved to move laterally.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Disable SMBv1 at the domain level; move only to SMBv2/v3 with encryption.
    • Patch immediately for Confluence, Log4j, ADCS (Certifigate), and any firmware on edge appliances.
    • Enforce AppLocker / Windows Defender Application Control to block unsigned ISO, MSI and Office macros.
    • MFA on all external-facing log-ins (VPN, webmail, RDP gateway).
    • Email filtering rules that quarantine ZIP+ISO combinations or MSI attachments from external senders.
    • Group Policy Software Restriction Policy (SRP) or Microsoft Defender ASR rule Block Office applications creating child processes.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Physically disconnect affected hosts from the network and power down non-critical VMs to contain lateral spread.
  2. Boot a live Kaspersky Rescue Disk or Bitdefender Rescue CD to prevent the ransomware service from starting.
  3. Identify the persistence keys (Registry HKCU…\Run or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) and remove the randomly named executable (e.g., C:\Users\Public\chromeUpdater.exe).
  4. Delete the scheduled task ShadowCleaner under Task Scheduler Library\Microsoft\Windows\SystemRestore to re-enable System Restore.
  5. Download and run ESET Online Scanner or Malwarebytes 4.6.x in Safe Mode with Network disabled—let it quarantine the nested nssm.exe process/service used to respawn the payload.
  6. Once clean, run Windows SFC /scannow and DISM /Online /Cleanup-Image /RestoreHealth to repair system corruption.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Partially Possible: Secureworks researchers found a flaw in the early build (v1.2) allowing RSA key reconstruction if a victim has an unencrypted copy (> 4 MB in size).
    • Public tool: ShadowUnlock-v0.9 (Kaspersky NoMoreRansom portal) supports only files encrypted with ChaCha20-RNG seed = 0x12 which was the default until July 2023.
    • If you do NOT fall inside this narrow window, paying the ransom is currently the only way to obtain the working decryptor—it is not recommended, as threat actors have intermittently stopped responding.
    • Priority recovery actions before considering payment:

    1. Collect a copy of HOW_TO_RECOVER_FILES.txt and upload it to ID-Ransomware.
    2. Attempt ShadowExplorer to recover previous Volume Shadow Copy entries before step 4 in “Removal” was completed.
    3. Restore from cold, offline, immutable backups that haven’t yet been hit by “wmic shadowcopy delete” executed by the malware’s batch routine.

  • Essential Tools/Patches:

  • ShadowUnlock-v0.9 (Kaspersky) – limited tool; verify header magic first.

  • MS17-010 (SMB) and MS16-032 (priv-esc) patches applied annually via WSUS.

  • CERT/CC tool **esentutl.exe /y HKCR` – assists in recovering registry if hive was corrupted.

  • Latest Defender Platform Update KB5027557 – adds Script-block logging and tamper protection against process chain injection used by deathofshadow.

4. Other Critical Information

  • Additional Precautions:
  • Unique Behavior: Drops a Geo-fencing DLL that halts further encryption if system language matches Russian, Ukrainian, or Belarusian—believed to minimize noise in home regions.
  • Erasement of local drive letters via mountvol.exe except C: to hamper forensics.
  • Registry Key Tracer: It regularly checks HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions to purge any Defender AV exclusions, causing rebirth even after partial cleanup.
  • Broader Impact:
  • Target footprint: Healthcare providers, local government offices, and small MSPs across LATAM and APAC documented highest incidence in the initial campaign.
  • Extortion Model: Moves to “double extortion”—if victims refuse to pay within 7 days the actors threaten to dump stolen data (max collection ~200 GB) on a dark-web leak site dubbed “DeathSight”.
  • Supply-Chain Concern: Trend saw infection pivot from affiliates managing the malware to a Ransomware-as-a-Service (RaaS) model, making it easy for low-skilled attackers to reuse its kit (minus the decryption keys).

Bottom line: Block the attack vectors upfront, patch aggressively, apply application control, and maintain offline backups with “air-gap” characteristics. Anyone impacted by “deathofshadow” should not rely solely on a decryptor—pursue shadow copies and immutable backups first, and treat exposed credentials as 100 % compromised.