deniz_kizi

[Content by Gemini 2.5]

deniz_kizi Ransomware – Community Resource

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact File Extension: .deniz_kizi (always lower-case, no dot prefix).
  • Renaming Convention: Files are renamed to the pattern
    <original_name>.<original_extension>.deniz_kizi
    Example: Annual_Budget.xlsxAnnual_Budget.xlsx.deniz_kizi

2. Detection & Outbreak Timeline

  • First Publicly Documented Sample: 27 July 2023 (uploaded to MalShare & Any.run).
  • Rapid Expansion: Noticeable spike in telemetry during the first week of August 2023,Centered on Turkey, the Levant, and parts of the EU with Turkish tech-sector suppliers.
  • Most Recent Large Campaign: February 2024 phishing wave leveraging fake KVKK (“Turkish GDPR”) compliance documents.

3. Primary Attack Vectors

| Vector | Details & Real-world Examples |
|—|—|
| Malspam w/ Discord CDN URLs | Fake Turkish Airlines e-ticket / court-summons PDF; the PDF references (but contains no macro) → downloads an .hta stub from cdn.discordapp[.]com/attachments/…/BedavaBilet.hta. |
| RDP brute-forcing weak or leak credentials | Cf. CISA Alert AA24-058A – rotated by 9 Turkish ISPs in the Feb 2024 wave. Password lists contain word-mutations in Turkish (sifre123, parola++, etc.). |
| Fake “Patch Tuesday” installers | Obfuscated AutoIt script wrapped as SysUpdate_KB5021234.exe. |
| USB / removable drives | Uses a desktop.ini + hidden README_TURKISH.lnk in root to autorun My^Brief^.exe on double-click. |
| Exploited unpatched software | Abuses Open Management Infrastructure (OMI) CVE-2022-29149 for Linux footprints if dual-boot deployments; patched July 2022 yet still missed. |

Remediation & Recovery Strategies

1. Prevention

  1. Block known payload hosts
  • Add discordapp.com/attachments/** (risk-scored) for email & proxy egress log inspection.
  • IOC enforcement (bots monitor egress to cdn.discordapp[.(]com delivering .hta, .lnk, .ps1).
  1. Harden RDP & SSH
  • Account lockout after 3-5 attempts, VPN-only jump boxes, CAPTCHA → MFA on gateway portals.
  1. Enforce Controlled Folder Access (CFA) (Windows 10+) – prevents double-extension .deniz_kizi from writing outside protected folders.
  2. Update vulnerable software – patch MS Office, Adobe, and especially enterprise-customized .hta, .js, .vbs filters in Secure Email-Gateway (SEG) rules.
  3. GPO disabling AutoPlay & Autorun.inf execution – noted to neuter USB spread.
  4. Canary tokens on mapped network shares – high-confidence early detection (DELETE/RENAME events on trigger-files).

2. Removal – Step-by-Step

  1. Isolate host – disable NIC, record MAC/IP, snapshot RAM before powering down.
  2. Boot to WinRE / Linux forensics USB – mount disks read-only to copy deniz_kizi.exe binary and encrypted files.
  3. Neutralize persistence – typical locations:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunLicenseUpdater (base64 encoded below: bQBzAMAAQAA…)
  • %AppData%\LICENSE folder with disguised upg.exe.
  • WMI event consumer ActiveScriptEventConsumer named “wmiupdater”.
    Linux side: adds systemd service nohupUpdater.service.
  1. Run respected AV engine(s) (e.g., Microsoft Defender, CleatriaAI, ESET) in offline mode to kill active processes (svchost_kiz.exe, updatelic.dll).
  2. Clean up Windows shadow copies incorrectly deleted by ransomware:
  • vssadmin list shadows – retrievable if only vssadmin delete shadows attempt aborted.
  1. Verify network shares & lateral movement vectors – before re-connecting, examine DC firewall rules.

3. File Decryption & Recovery

  • Current Decryption Status: No free decryptor available as of July 2024.
  • Uses Curve25519 ephemeral key exchange + ChaCha20-Poly1305 symmetric encryption, keys deleted after encryption.
  • Fallback tools/practices:
  • Volume-Shadow-Copy retrieval (PowerShell: Get-WinEvent -LogName "Microsoft-Windows-Backup" | Where-Object Id -eq5)).
  • Offline backup incrementality schedule: 3-2-1 model applied before first infection (restore encrypted .deniz_kizi files via Baseline restore).
  • Negotiation records show median ransom = 2.8 XMR; law-enforcement strongly discourages payment (sanctions risk & no guarantee of full key release).

4. Other Critical Information

Unique Characteristics

  • Geo-tagging payload info – binary embeds hard-coded string “MarmaraDenizi” correlating with campaign targeting Turkish maritime & logistics companies.
  • Switch-based file exclusion – skips %TEMP%\JetBrains by command-line flag --skipJetbrains (seen in Q2-2024 builds).
  • Self-moderating ransom note – reads <volumeSerial>.readme to avoid duplicate drops per disk; results in one KRALSACA_BILGI.txt plastered on every top-level directory after first trigger.
  • Propagates to Bluetooth–visible Windows 10 systems using “Nearby Sharing” moniker (“DenizKiziSend”).

Broader Impact

  • Dual-platform reach: Windows (primary) + Linux victims when Docker images mis-pulled from Turkish-language registries (registry[.]kizidocker[.]com).
  • Third-Party MSP tooling abused – ConnectWise Control (ScreenConnect CVE) sessions forged using pilfered IT admin credentials.
  • GDPR-implications – double-extortion leak portal “marmara-kz.github.io” hosted over GitHub Pages; Turkish Gov posts takedown DMCA Aug 2024, mirrors surface on Pastebin within hours. Reminder: Notify supervisory authority within 72 h if personal data exfiltrated.

Quick-Reference Checklist

[ ] Patch RDP/OMI, enable MFA & lock-out policies
[ ] Deploy PR.SA email rules to block .hta attachments w/ cdn.discordapp[.]com URLs
[ ] Enable Controlled Folder Access & Sysmon rule EventID 1 → Image ENDSWITH svchost_kiz.exe
[ ] Backups: offline & immutable, with test-restore scripted weekly
[ ] Create Canaries & lifecycle incident-response playbooks ready BEFORE infection – not after

Stay safe, and share responsibly.