dedcryptor

[Content by Gemini 2.5]

Ransomware Resource Sheet

Variant: DEDCryptor

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    – The ransomware appends “.ded” to each encrypted file (e.g., report.xlsx → report.xlsx.ded).

  • Renaming Convention:
    – Files keep their original names intact before the original extension, then “.ded” is added at the end.
    – No GUID, e-mail address, or extra token is inserted into the filename, so appearance is minimal and clean.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    – First public reports appeared mid-August 2016 after victims posted payment pages on ID-Ransomware and BleepingComputer.
    – Hidden C2 infrastructure suggests earlier, low-volume testing through July 2016.
    – Peak distribution occurred late August–early September 2016; dormant centralized servers have rendered later build IDs rare.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploited RDP services – brute-force, stolen credentials, or purchase of RDP access from criminal marketplaces.
  2. E-mail phishing dropper – ZIP containing a JS or HTA file that fetches the DEDCryptor payload from a compromised domain.
  3. Drive-by download kits (RIG & Sundown exploit kits) leveraging Flash Player and Internet Explorer vulnerabilities patched July–Aug 2016 (CVE-2016-4117, CVE-2016-0189).
  4. Insider-side loaders – pirated software bundles or fake game cracks delivered via torrents also observed to drop the same payload.

Remediation & Recovery Strategies:

1. Prevention

| Layer | Control (specific for DEDCryptor protection) |
|—|—|
| Network segmentation | VLAN/firewall rules that block SMB/RDP between workstations. |
| Credential hygiene | Enforce complex passwords ≥ 14 characters, ban common credential sets (use Have I Been Pwned API rejection). |
| Patch velocity | Ensure MS16-072, MS16-087, MS16-122 (SMB, Windows kernel, RDP) are applied; likewise for Flash Player Aug-2016 updates. |
| Principle of Least Privilege | Remove local admin rights from regular users to stop the encryption routine from elevating to SYSTEM context. |
| E-mail perimeter | Auto-quarantine nested ZIP/JS/HTA attachments in incoming mail. |
| Application whitelisting | Microsoft Defender Application Control (or legacy AppLocker) policy blocking %TEMP%\*.exe execution—where DEDCryptor extracts its child process. |

2. Removal – Step-by-Step

⚠️ Disconnect from the network before proceeding.

  1. Boot into Safe Mode with Networking.
  2. Kill persistence.
  • Use Autoruns → look for:
    – Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run key SystemUpdate pointing to %APPDATA%\SystemUpdate.exe (MD5: 6dd5b8697c9d7daf77fb373cbb6e98a9).
  • Optional: Boot from a Windows PE USB, mount the registry hive, and physically delete the run key before booting.
  1. Remove malicious binaries.
  • Delete %SystemDrive%\Users\Public\*.tmp, %APPDATA%\SystemUpdate.exe, any randomly-named PE files dropped in %TEMP%.
  1. Delete scheduled task (some variants)schtasks /delete /tn "WindowsUpdate" /f.
  2. Update AV signatures / On-demand scan – most mainstream scanners detect it as Ransom:Win32/DEDCryptor.A (Microsoft), Trojan.Encoder.11447 (Dr.Web), or W32/Filecoder.DEDCryptor.A!tr (Fortinet).
  3. Reboot into normal mode, verify no automatic encryption (monitor CPU/disk activity on a freshly created .txt file).

3. File Decryption & Recovery

  • Recovery Feasibility:
    No publicly working decryption tool exists for DEDCryptor; it uses AES-256 encrypted with an RSA-2048 public key embedded in the binary.
    Free decryption is currently impossible unless the master private key is leaked or seized by law-enforcement.

  • Restoration paths:

  • Back-ups (volume shadow copy, NAS with offline/air-gapped media, cloud snapshots).

  • Search for shadow copies via vssadmin list shadows then vssadmin restore – some older variants do NOT purge shadow copies if the payload runs un-elevated.

  • Utilize immutable storage (recent Windows 11/Server 2022 “SMB over QUIC” with immutable snapshots).

  • File-recovery utilities (e.g., PhotoRec, TestDisk) can rescue non-contiguous file fragments from unencrypted free space when encryption did not overwrite deleted data; unreliable for large, continuous files.

  • Essential Tools/Patches:

| Tool/Patch | Purpose | URI |
|—|—|—|
| DEDCryptorID.bat (community ID script) | Confirms infection by detecting registry marker for userID string | GitHub gist |
| Microsoft MS16-122 | Fixes Windows kernel privilege escalation used to bypass UAC | Microsoft Security Bulletin |
| CrowdStrike FalconKillSwitch (or similar EDR) | Enables automatic quarantine on ransomware file-write heuristics | — |
| ShadowExplorer 0.9 | GUI to browse & restore VSS snapshots | shadowexplorer.com |

4. Other Critical Information

  • Unique Characteristics
    Shoddy ransom note: Uses a dialog box quoting the fictional company “Team DED” with a Bitcoin address and e-mail [email protected] (defunct onion-hosted mailbox).
    Single fixed price: 2 BTC regardless of victim size (rendering ransom negotiations fruitless).
    Non-English message boxes occasionally appear (Serbo-Croatian: “Vaši datoteke zarobljene!”), hinting at an Eastern-European origin or affiliate network.
    Cryptographically simple: no chained file keys—each file encrypted with the same AES key. However, AES key encrypted only with server’s public key, not recoverable without C2 response.

  • Wider Impact & Legacy
    – Resulted in ~350 recorded victim uploads to ID-Ransomware in 2016, many small businesses & law practices.
    Ties to earlier “Razy” actor cluster, sharing code patterns and C2 domains with Razy fakes.
    – Demonstrated that post-infection lateral movement via WMI became a blueprint reused by later GandCrab and SamSam affiliates.
    – C2 domain ded24x7k6y4g.onion seized Sep-2017, effectively severing payment/decrypt channels and rendering payload dormant, but legacy infections still pop up on compromised RDP hosts.

Closing Note: Because DEDCryptor’s C2 keys are no longer online, paying the ransom is impossible as well as useless. The most reliable defense today is a tested, air-gapped backup regimen plus aggressive RDP lockdown.