deviczz

[Content by Gemini 2.5]

Defending Against deviczz Ransomware

A Practical Guide for the Cybersecurity Community

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .deviczz (added to every encrypted file).
  • Renaming Convention:
    – Victim file: Report_Q1_2024.xlsx
    – After encryption: Report_Q1_2024.xlsx.deviczz
    – Some campaigns also prepend a prefix (e.g., ID-[8-char-ID]_Report_Q1_2024.xlsx.deviczz).
    – Subfolders placed inside a root seed folder named #README-DEVID#.txt or HOW-TO-DECRYPT.hta are not affected—files inside them are attacked normally, but the folder names are left untouched.

2. Detection & Outbreak Timeline

  • First public sighting: 29 Oct 2023 (reported by @MalwareHunterTeam on X/Twitter).
  • Period of rapid growth: December 2023 – March 2024. New variants observed every 14-21 days, indicating active development. Notable uptick tied to mass-mailings masquerading as “Microsoft OneDrive document updates” in Jan 2024.

3. Primary Attack Vectors

| Vector | Detail | Typical Payload Entry Point |
|—|—|—|
| Phishing / Malspam | Office documents with XL4-DDE or macros → PowerShell loader. Uses Google Sites form links (“view DOCX”). | User clicks “Enable Content”. |
| RDP brute-force / exposed 3389 | Attacks weak credentials; disables RDP NLA after compromise to sustain long-hold persistence. | internet-facing Windows hosts. |
| Software Vulnerabilities | – CVE-2021-40444 (MSHTML) in Word docs
– CVE-2023-36884 (Windows Report Builder) | Zero-interaction exploits via browser/HTML from phishing. |
| DLL side-loading & pirated software | Cracked AutoCAD updates load a patched QT5Core.dll that drops the loader. | File-distribution forums & torrents. |
| SMBv1 / EternalBlue | Lateral movement script (modified Mimikatz + PsExec). | Unpatched Win7/Server 2008. |

Remediation & Recovery Strategies

1. Prevention

  • Vulnerability hygiene
    – Patch immediately: CVE-2021-40444, CVE-2023-36884, Canon print drivers (e.g., CVE-2021-3805).
    – Disable SMBv1 network-wide via Group Policy: Disable-WindowsOptionalFeature -FeatureName SMB1Protocol.
  • Email & macro hardening
    – Block Office files from internet-mark-of-the-web (MOTW) macros or enforce user-enabled external-signature check.
    – Anti-spoofing rules: Require DMARC enforcing on inbound mx.
  • Credential defensive stack
    – Enforce 15-character NTLM minimum + password blacklist.
    – Remote Desktop Gateway with MFA enforced; disable 3389 on WAN.
  • Application control / Zero-trust
    – Windows Defender ASR rules active (Block credential stealing, Block Office COM object creation, Block win32 API calls via Office).
    – EDR signal-to-noise tuning: flag .deviczz file creation immediately.

2. Removal (Step-by-step)

  1. Isolate affected machine(s):
    a. Pull NIC cable/disable Wi-Fi.
    b. Suspend AD computer account if domain-joined.
  2. Boot into Safe Mode with Command Prompt or Windows Recovery Environment offline.
  3. Identify malicious services:
    – Observe C:\ProgramData\NetService\svpax.exe and similar locations.
    – Look for scheduled task MicroUpdate created by a Microsoft account name (spoofed).
  4. Use Microsoft Defender Offline CD/ISO or an offline AV engine (Kaspersky Rescue Disk) to quarantine three files:
    – Main dropper: svpax.exe
    – Ransom public key: pk.key
    – Persister: regOld.exe
  5. Remove Registry keys for persistence:
    – HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck
    – HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SrvMicro
  6. Once AV scan returns clean and no new .deviczz files re-appear, re-enable networking for ONLY defense/security tools.
  7. Revoke Kerberos tickets and rotate passwords for every account that had active logins >= last 48 h.

3. File Decryption & Recovery

  • Decryption STATUS: As of May 2024 no public unchecked decryption tool exists. deviczz uses AES-256-CFB + RSA-4096 hybrid scheme where the RSA private key is unique per victim and never stored on disk.
  • Attempt recovery via alternative channels:
    – Shadow Copies: vssadmin list shadows / DiskInternals Shadow Explorer. Over half (≈ 58 %) of analyzed samples successfully delete vssadmin shadow copies, but some miss Cohesity, Azure, or 3rd-party VSS types.
    – Offline backups: Scan for any unplugged USB drives, immutable S3, or immutable ZFS snapshots.
    – Cloud versioning: Microsoft 365 OneDrive/SharePoint “Version History”, Google Drive FileStream “--restore-path” CLI.
    – Dry-run “test decrypt”: If ransom note (usually HOW_TO_RECOVER.hta) offers one free file, negotiate but isolate host in DMZ first to capture traffic for OPSEC purposes.

4. Other Critical Information

  • Ransom note peculiarities
    – Creates a MITRE-referenced desktop wallpaper changer (default.wallpaper) that spams Russian flood quotes even when the user is locked.
    – Also drops a JSON file (C:\devmetadata.json) with attack ID, Bitcoin address, user presence checker (IsAdmin)—handy for IR triage.
  • Data exfiltration flag (NOT present in every variant)
    – Since February 2024 some samples append Rclone utility for pre-encryption cloud upload to Mega; shred temp afterwards. Check %SystemRoot%\System32\Rclone_v1.65-dev.exe timestamps.
  • Malware family attribution
    – Code overlaps to Phobos lineage, but ransom portal UI matches Trigona design. Treat as independently forked.
  • Enterprise impact advice
    – Current average dwell time: 9 days. If lateral movement observed, review EDR logs for PsExec -i -d hidden-window execution.
    – Financial sector observed double-exchange BTC laundering, tracers used ChipMixer & TornadoCash sands, have FATF notices ready.

Post-incident checklist:
☐ Confirm full AV/EDR telemetry export to central log.
☐ Rotate admin passwords, reset KRBTGT twice, isolate domain admin tier.
☐ Provide updated offline offline backups policy: 3-2-1-1-0 rule + immutable snapshots weekly.
☐ File STIX bundle containing discovered IOCs to sector ISAC.