devos

[Content by Gemini 2.5]

Ransomware Report: DEVOS Strain (.DEVOS extension)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .devos (lower-case, appended after the original file extension)
  • Renaming Convention: Each encrypted file is renamed in the pattern
    filename.ext.id-[8-10-digits].[[email protected]].devos
    Examples:
  • ReportQ4.xlsx.id-2901695130.[[email protected]].devos
  • Backup.sql.id-71025398.[[email protected]].devos
    Multiple contact e-mail addresses may appear, separated by periods, e.g., [[email protected]].[[email protected]].devos.

Droppers often leave “readme.txt” or “ReadMe.txt” ransom notes in every folder where files are encrypted.

2. Detection & Outbreak Timeline

  • First seen in the wild: Early June 2019.
  • Significant campaigns:
  • June–October 2019 – Mass volume via fake software cracks and stolen RDP.
  • H1 2020 – Wave targeting exposed MySQL, MSSQL, PGSQL and VNC services.
  • 2021–2024 – Persistent rebundling and intermittent spikes through malvertising and TG soft-ware.

DEVOS is an active offshoot of the Phobos ransomware family; samples are still very current at the time of writing.

3. Primary Attack Vectors

The DEVOS group uses a hybrid “smash-and-grab” approach—high-volume automation combined with semi-manual post-exploitation.

  1. Open Remote Desktop Protocol (RDP)
  • Port 3389 brute-forced with known credential dumps or re-used passwords from older breaches.
  • When MFA is absent, initial foothold is achieved in minutes.
  1. Stolen or Mispurchased Remote Admin Tools
  • AnyDesk, TeamViewer, Ammyy Admin, or MSP utilities used with leaked credentials.

  1. RIG & Fallout exploit kits (2019–2020) driving classic malvertising lures (fake Flash updates, crack downloads).

  2. Vulnerability exploitation

  • EternalBlue (MS17-010) – for lateral spread to un-patched Windows 7/2008 machines.
  • BlueKeep (CVE-2019-0708) – used sparingly for Windows 2008 R2 endpoints externally exposed.
  • Database software (MySQL CVE-2016-6662, MSSQL weak sa/password combos) for initial breach in server environments.

  1. Email phishing with ISO or double-zip attachments delivering SmokeLoader first stage → DEVOS second stage.

  2. Insecure NAS / FTP servers where victim credentials or shared admin passwords have previously been re-used.

Once inside, DEVOS:

  • Runs cmd.exe to clear shadow copies (vssadmin delete shadows /all /quiet).
  • Runs bcdedit to disable Windows recovery environment.
  • Stops SQL, Exchange, IIS and VSS services.
  • Maps/explores network shares & encrypts files on connected SMB shares.

Remediation & Recovery Strategies

1. Prevention

  1. Lock down RDP
  • Disable TCP/3389 from the Internet, or restrict to whitelisted IPs.
  • Enforce NLA + MFA (Duo, Azure AD, etc.).
  1. Patch aggressively
  • KB4499175 (2019 May cumulative) fixes EternalBlue.
  • KB4499175 + KB4494441 & BlueKeep patch (Windows 7, Server 2008).
  • Keep MySQL, MS-SQL and Apache/Nginx fully updated.
  1. Privileged-access hygiene
  • Randomise local “Administrator” username.
  • Use LAPS to set unique, complex local-admin passwords on each workstation.
  • Implement zero-trust / just-in-time privileged access solutions.
  1. E-mail & web filtering
  • Block receipt of .iso, .img, .vhd, .ps1, .js and double-zipped attachments at the MTA or secure e-mail gateway.
  • DNS-level filters for exploited exploit-kit domains (malvertising).
  1. Backups
  • Follow the 3-2-1 rule: three copies, two different media, one offline/off-site ( immutable S3 object-lock or tape).
  • Test restore monthly and encrypt backups with a key stored somewhere independent of production AD.
  1. EDR / XDR deployment (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) with behavioral-signature rules for Phobos/DEVOS file entropy rewriting patterns.

2. Removal (Step-by-Step)

  1. Disconnect from network immediately to prevent further spillage to shared folders.
  2. Boot into Windows Safe Mode with Networking (or use Windows RE via bootable USB if device is unbootable).
  3. Use legitimate offline security toolkit
  • Emsisoft Emergency Kit or Kaspersky Rescue Disk to perform full-scan & quarantine.
  • Look for the primary payload: typically svhost.exe ( deliberately misspelled ), winlogon.exe in %TEMP%, or a hidden service named something like DefenderService.
  1. Review autoruns (Autoruns64.exe from Sysinternals) searching for persistence in Run, RunOnce, Services, and scheduled tasks.
  2. Clean artifacts:
  • Delete ransom notes (_readme.txt).
  • Remove registry keys related to “DefenderService”/random name services.
  1. Reboot into regular Windows & run a second full AV scan to confirm absence of malware.
  2. Run multiple shadow-copy enumeration scripts (vssadmin list shadows) to confirm no recoverable snapshots remain (if snapshots are present, proceed to 3.b below).

3. File Decryption & Recovery

  • Decryptable?
    No—outside of exceptional law-enforcement key-dumps, AES-256 file encryption is currently unbreakable.
    However, check every case for overlooked options:
  1. Check for available decryptors
  • Emsisoft Free Decryptor for Phobos (DEVOS) only works if you have BOTH original and encrypted versions of a 256 KB or larger file from the same system (do NOT clean your system before collecting these).
  • Visit NoMoreRansom.org > “Crypto Sheriff” to upload ransom notes and confirm family.
  1. Restore from backups:
  • Boot a fresh machine, install OS from scratch and restore offline or immutable backups. Verify checksums before mounting production services.
  1. ShadowCopy / VSS recovery
  • If deletion step was dodged (malware sometimes fails), use shadowexplorer.exe or vssadmin list shadows/vssadmin revert shadow.
  • Test one or two files before bulk restore.
  1. File Recovery Utilities
  • PhotoRec / TestDisk for non-corrupted images, text, or video if pre-encryption blocks of data were overwritten partially.
  • Recuva / R-Studio may retrieve older versions overwritten by encryption, but only in very specific fragmentation scenarios.
  1. Negotiation & Payment (not advised)
  • Typical ransom: USD 500–15 000 in Bitcoin.
  • Negotiation success rate ≈ 60 %. DO NOT decrypt on live production machines—restore offline backups after a factory reset instead.

4. Other Critical Information

  • Unique identifiers

  • Uses the CrySIS / Phobos codebase: AES-256 file encryption, RSA-1024 master key encryption.

  • Keys are unique per victim and generated on the malware C2 side. Offline encryption (no generated key = permanent damage) if network is lost mid-attack.

  • EDR evasion

  • Renames itself to Windows system file names, checks for VM/sandbox (USERDOMAIN=”A”, COMPUTERNAME=”Xxx-SANDBOX”) before running.

  • Deletes Windows Defender signature definitions/updater via system-level CLI commands.

  • Lateral movement script

  • Dropped after gaining admin rights, e.g., psExec.exe to copy malware + autorun registry entries across \\<comp-IP>\C$.

  • Broader impact

  • DEVOS selectively servers still active (now behind Tor/I2P mirrors) frequently switch Bitcoin addresses—blockchain analysis shows > 3 400 BTC accrued since 2019, suggesting mid-sized but still significant impact on SMB and healthcare verticals.

  • Decoy recovery sites

  • Threat actors have created look-alike “decryptor” sites that demand another payment. Always confirm tool authenticity from original vendor or NoMoreRansom.org.

Bottom line: DEVOS/Phobos thrives on weak RDP controls and under-patched legacy systems. Defensive measures focusing on RDP hardening, MFA, immutable segmented backups, and prompt patch adoption will effectively render this threat a non-event.