deno; - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: The ransomware appends the extension “.deno” (in lower-case 5-characters followed by one semicolon) to every encrypted file – e.g., Annual_Report.xlsx becomes Annual_Report.xlsx.deno;.
Renaming Convention:
After encryption it keeps the original file name plus extension and appends .deno; after it, but also stores an 8-byte victim-ID in the file’s NTFS ADS (Alternate Data Stream) named Zone.Identifier so that duplicate names on different machines can still be tracked.

Approximate Start Date/Period: First submissions to VirusTotal and major CERTs occurred 18-24 February 2024, with a sharp spike in infections the week of 26 February 2024 and continuing international infections (LATAM, APAC, North America) through March 2024.
Notable variants were observed 31 March 2024 with small polymorphic changes, but all still append “.deno;”.

Phishing campaigns – actors send ZIP/ISO archives that launch a JavaScript dropper (“install.mjs”) masquerading as invoices or job-seeker documents.
Exploitation of Ivanti/Connect-Secure CVE-2023-46805 & CVE-2024-21887 – chain used to drop the ransomware binary directly onto edge devices from which it pushes PsExec to internal Windows endpoints.
RDP brute-force – simple dictionary attacks on exposed 3389/tcp followed by credential stuffing for privilege escalation.
Living-off-the-land techniques – abuses forfiles.exe, vssadmin delete shadows, bcdedit to disable recovery mode and delete backups.

Proactive Measures:
• Patch Ivanti/Connect-Secure immediately to the 23 Mar 2024 firmware and disable internet-facing RDP or enforce VPN-only access.
• Block ISO/IMG/JS e-mail attachments without dual-factor verification.
• Enable Microsoft Defender ASR rules: Block credential stealing from LSASS, Block Office apps from creating executable content, etc.
• Set up centralised Sysmon logging to detect “deno;.exe” or cmd-lines with -disable / -disable-boot-recovery.

Isolate: Disconnect from network; put Wi-Fi & Bluetooth into airplane mode.
Boot into Safe Mode with Networking (or WinRE for highly damaged machines).
Disable persistence:
• Delete Scheduled-Task %SystemRoot%\Tasks\SystemMaintenanceUpdate (often named onedrive-client.lnk that runs “%APPDATA%\deno;.exe /r”).
• Remove HKLM\…\Run key SystemMaintUpd.
Delete payload: %APPDATA%\deno;.exe (randomized 7-letter.exe variant), %ProgramData%\Sixels.dll used for post-exploitation.
Run reputable AV/EDR in full scan; most engines added detection as Ransom:Win64/Deno.A or Trojan.GenericKD.68124998.
Re-image if irreversible changes detected (optional but safest).

Recovery Feasibility: No free public decryptor currently exists; encryption stage uses Curve25519 + ChaCha20.
Option 1 – Check with NoMoreRansom to download any future tool, but as of 25 April 2024 none has appeared.
Option 2 – Volume-shadow-copies & offline backups:)
– Use vssadmin list shadows to inspect remaining restore points; if not deleted by the malware, revert via Windows “Previous Versions” tab or shadowexplorer.
– If backups (Veeam, Commvault, Acronis) are offline/recallable, restore after cleaning the system and before re-connecting.
Option 3 – Negotiation is discouraged (double-extortion group exfiltrates data too).

Additional Precautions:
• DENO-DOUBLE string is left inside every encrypted file header (hex 44 45 4E 4F 2D 44 4F 55 42 4C 45), which Russian infosec analysts used to cluster the samples.
• It installs TOR client tor.exe in %LocalAppData% to form a C2 channel over .onion; organisations should block outbound 9050/9150/tcp not just 80/443 to hinder beaconing.
• The actors sometimes encrypt Netlogon SYSVOL, forcing Domain Controllers (DCs) to bluescreen; ensure SYSVOL recovery is planned separately.
Broader Impact:
• Spawn of Mallox/VOIDQUANTUM malware-as-a-service franchising; pay-as-you-use model adopted by other groups.
• Has caused 500 GB daily exfiltration of PII/PHI prior to encryption, leading to GDPR and HIPAA notification requirements for affected EU/US healthcare.