dice

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .dice (all lowercase, preceded by a decimal point).
  • Renaming Convention:
    – Files are renamed in the pattern: originalfilename.ext.dice
    – Example: Quarterly-Report.xlsx becomes Quarterly-Report.xlsx.dice
    – Directory attributes and modification timestamps remain intact (this is helpful for forensic recovery snapshots).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Active samples emerged in late July 2023; a sharp spike in infections was reported between August–October 2023 after initial sightings on multiple criminal marketplaces.
    – A second, slightly improved variant appeared in January 2024 (no re-branding of extension; TTPs identical but payload encrypted with a newer CrySIS codebase v5.7).

3. Primary Attack Vectors

| Mechanism | Details & Notable Instances |
|—|—|
| Exploit Kits | Spread via Fallout EK and Rig EK, leveraging CVE-2023-34362 (MOVEit). |
| RDP Brute-forcing | Mass-canning port 3389, then lateral movement with mimikatz/CrackMapExec. |
| Malicious Email Attachments | Macros inside “pending purchase order” themes—drops self-extracting archive that extracts and executes dice.exe. |
| Software Vulnerabilities | CVE-2022-27510 (Citrix ADC/Gateway RCE) and CVE-2023-27350 (PaperCut NG/MF). Patched versions released May 2023 and May 2023 respectively. |
| USB Worming | Creates autorun.inf and copies System32\dice_folder.exe, disguised as folder icon.

Remediation & Recovery Strategies

1. Prevention

  1. Patch Frenzy: Apply all vendor patches for MOVEit, Citrix ADC, and PaperCut (latest hotfixes).
  2. RDP Hardening:
    • Disable RDP on public interfaces or restrict via VPN + MFA.
    • Enforce NLA and account lock-out after 5 failed attempts.
  3. Attachment Defenses:
    • Block executables inside Office macros via Group Policy (VBAObjectModelBlock).
    • Deploy mail-gateway solutions that quarantine .iso, .img, .vhd attachments.
  4. WBAC/EDR Deployment: Ensure endpoint protection detects dice.exe (Sigma rules dicedetector2023.yaml) and kills PowerShell downgrade attempts (powershell.exe -ExecutionPolicy Bypass).
  5. Offline Backups: immutable + off-site (Veeam v12 Hardened Repository or Azure WORM storage).

2. Removal

  1. Isolate the host from network immediately (pull cable or disable Wi-Fi).
  2. Boot into Safe Mode with Networking.
  3. On a clean machine download EMSisoft Emergency Kit 2024 and Kaspersky Virus Removal Tool – place on a USB.
  4. Run: 
   emsisoft_clean.exe /dice /fullscan /log:DICE_removal.log
  1. Delete registry persistences:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ DiceMon
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware (often toggled by dice).
  2. Delete scheduled task AdobeUpdateTask (imposter).
  3. Reboot normally; confirm no active process named dice.exe, dice_spv.exe, or service WindowsDiceDriver.
  4. Validate file-removal using Sysinternals Autoruns and GMER.

3. File Decryption & Recovery

  • Recovery Feasibility: Partially Possible – the encryption is a CrySIS / Dharma variant (Salsa20 + RSA-1024). Master keys for build 2023.07 were leaked in December 2023 by a disgruntled affiliate.
  • Available Tools:
    Emsisoft Decryptor for CrySIS/Dharma: 2024-02-21 successfully decrypts dice if master key exists.
    Kaspersky RakhniDecryptor (build 7.1) supports decryption after scanning for Pascal strings inside ransom note left in README.txt.dice.
  • Steps:
  1. Place both encrypted and unencrypted versions of at least one file (>150 KiB) onto a USB (can recover one from cloud/backup).
  2. Run the decryptor in Administrator console with --poc switch to detect keys.
  3. Back up encrypted files before starting decryption (rollback safe-stop).

4. Other Critical Information

  • Ransom Note Contents: The file README.txt.dice (or README_RETURN_FILES.txt) contains 120-character “personal ID”, two {bitmessage, Session onion} addresses and usually the phrase, “…you only have 72 hours to act!”
  • Evading Windows Defender: Dice enables Tamper Protection bypass via MpPreference -DisableRealtimeMonitoring $true; re-enable after removal.
  • Data Exfiltration: Not universal, but some builds upload recursive dir-lists (dir /s /b) to mega.nz over TOR. Audit outbound for danwin1210.me hostname.
  • Cross-platform Risk: New Rust payload targeting Linux servers (seen March-2024) appends same .dice, with minor change—/var/lib/diceroot as working directory.

Quick Reference Matrix

| Task | Resource | URL/Reference |
|—|—|—|
| Patch PaperCut | CVE-2023-27350 KB | support.papercut.com/hc/en-us/articles/patch-27350 |
| Win-RDP lockdown | NLA + CSP | learn.microsoft.com/security/RDP |
| Decryptor | Emsisoft | emsisoft.com/decryptor-dharma |
| IOC hunter | Sigma rule | github.com/SigmaHQ/…/proccreationwin_dice.yml |
| Backup vendor | Veeam Hardened | helpcenter.veeam.com/immutable backups |

Stay sharp, patch early, test restores often, and never pay.