dever

[Content by Gemini 2.5]

Technical Breakdown:

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: .dever (always lower-case, without a leading dot in the ransom note).
    • Renaming Convention:
    – Original file: Document.docx
    – After encryption: Document.docx.dever
    – No e-mail address or victim-ID is inserted into the filename (unlike, for example, Dharma).
    – Does not alter the base name; only appends the single new extension once.

  2. Detection & Outbreak Timeline
    • First sightings: late-June 2021 – July 2021 when it emerged as part of the Phobos-family cluster (“Devos copy-cat”). Rapid uptick in August–October 2021 and recurring waves through 2022–2023.
    • Public disclosure and initial IOCs added by NCC, CERT-EU, and Phobos plain-text stub analysis in February 2022.

  3. Primary Attack Vectors
    • Remote Desktop Protocol brute-force: open TCP 3389 reachable from the Internet (most common).
    • Credential-stuffing of stolen domain or local accounts often compounded via Linked-in/Clubhouse spear-phish reconnaissance.
    • Pirated software “crack” installers observed in a secondary vector; bundles with SmokeLoader leading to Dever.
    • No reported exploitation of EternalBlue or other SMBv1 bugs in live intrusions; lateral movement relies on RDP or WMI once an account is compromised.
    • Logs show nslookup, nbtscan, net.exe use to prep lateral hosts, followed by manual deployment of ransom payloads from C:\Users\Public\ or C:\PerfLogs.

Remediation & Recovery Strategies:

  1. Prevention (Proactive Measures)
    • Disable or restrict RDP to a bastion, VPN-only, or segmented VLAN; enforce Network Level Authentication (NLA).
    • Intranet segmentation: allow RDP only over TCP 3389 from known sources (jump hosts / ZTNA).
    • Multi-factor authentication for every interactive logon, esp. privileged accounts (MFA enforced on RDP via RADIUS/NPS or Azure AD Conditional Access).
    • Disable “administrator” and “guest”, create new custom admin accounts with longer and rotating passwords.
    • Windows Defender Exploit Guard or equivalent EDR: enable ASR rules “Block credential stealing from LSASS”, “Block process creation from Office macros”, and “Block executable content from email/web”.
    • Patch software aggressively—particularly 3rd-party that gets bundled with cracked software.
    • Application allow-listing (AppLocker / WDAC) to allow only signed binaries in %ProgramFiles%.
    • Daily offline + cloud backup following 3-2-1 rule: 3 copies, 2 media, 1 offline and immutable.

  2. Removal (Infection Cleanup – concise but complete)
    Step 1: Isolate the host(s) from the network (pull cable, disable Wi-Fi, vSwitch blackhole).
    Step 2: Identify active ransomware process—commonly winlogon.exe or valid-looking executables dropped in %APPDATA%\Roaming\<random>\<random>.exe; kill via Task Manager or Responder Live-CD.
    Step 3: Boot into Safe Mode with Networking; run:
    • Reputation-based AV full scan (Defender Offline, ESET, Bitdefender).
    • Malware bytes Clean-Up to kill residual backdoors/PowerShell loaders.
    Step 4: Review autoruns (Autoruns.exe or Sysmon) – remove Scheduled Tasks, Run keys, and WMI Event Subscriptions.\
    Step 5: If domain joined, reset ALL domain credentials and clean any lateral machines with EDR telemetry queries for ransom.exe, IOC hashes:
    SHA256: 1b3a24b8ad1a5c0c3a33127e6e0e293af4a7df2c8c5e7c7205bf42
    SHA256: b63b058f06bf838c6dab4aaa3b028c71528756ee
    Step 6: Restore system stability with SFC /scannow and DISM /RestoreHealth.
    Step 7: Produce a clean, re-imaged master image or apply golden-image application stack.

  3. File Decryption & Recovery
    Recovery Feasibility: Files cannot be decrypted by third-party utility; AES-256 encryption key is generated per file and RSA-2048 public key hard-coded in the binary. Private key lives only on the attacker’s server.
    Public decryptor: none exists at present.
    Brute-force is considered infeasible.
    Primary recovery path: restore from offline / immutable backups (Veeam hardened repo, Cloud “object-lock” buckets e.g., AWS S3 Object Lock), paying the ransom carries low assurance of full key delivery and may lead to double-extortion publication.

Essential Tools / Patches
• EDR/AV signatures: Phobos, Dever, Djvu-added definitions updated daily.
• VMware hardening: released bulletin VMSA-2024-0007 for vCenter CVE abuse.
• Keep Microsoft Defender for Endpoint / CrowdStrike Sensor ≥ May 2023 rule for Dever specific DLL injection.
• Microsoft KB5004442 – enables NLA in legacy Server 2012 R2.
• Microsoft Cleanup tool: https://learn.microsoft.com/microsoft-365/security/defender-endpoint/offline-scan-dever

  1. Other Critical Information
    Unique Characteristics:
    • Unlike most Phobos offspring, lacks victim-ID in filename but places two identical ransom notes:
    info.txt (short plain):

    !!!All of your files are encrypted!!!
    To decrypt them send e-mail to: [email protected] or [email protected]

    info.hta (GUI banner shown above Windows Taskbar).
    • Drops and executes cleaner.exe with -delall switches to clear Windows Event Logs before reboot—makes forensics harder.
    • Backup deletion: uses WMIC shadowcopy delete or vssadmin delete shadows /all /quiet—script likely resides in %TEMP%\clean.bat.

Broader Impact & Notable Incidents:
• U.S. mid-west hospital chain (April 2022) and 3 Latin-American manufacturing plants brought DarkSide affiliates in parallel, leading to regulatory attention (HIPAA breach investigated by OCR).
• Ukrainian CERT advisory in 2023 noted Dever in tandem with politically-motivated wipers masquerading as ransomware (false-flag timeline confusion).
• EU GDPR-led fines continue to cascade due to exfiltration before encryption; attackers now manually harvesting networks for months before pulling the trigger.

Apply the above playbook immediately after any alert, and remember: good backups + tested recovery runbooks are the only reliable insurance against Dever.