divine

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The Divine ransomware appends .[[email protected]].divine to every encrypted file.
    Example: Quarterly_Report.xlsx becomes Quarterly_Report.xlsx.[[email protected]].divine.

  • Renaming Convention:
    The malware first copies each victim file into a temporary “.locked” placeholder, applies AES-256 + RSA-2048 hybrid encryption, deletes the original, then renames the encrypted blob with the extension above. The email address in the extension ([email protected]) doubles as the actor’s primary contact point; every ransom note is also prepended with “!README_DIVINE!.txt” in the same directory.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First telemetry hits appeared on 20–22 May 2024. A sharp spike in public submissions to ID-Ransomware and VirusTotal began 24 May 2024 and continues to climb. By 3 June 2024, more than 180 samples had been tagged to the Divine family, indicating an active, ongoing campaign.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-forcing & credential stuffing – Attacks default or weakly secured Remote Desktop connections.
  2. Malicious advertisement (malvertising) redirects – Victims download a fake “Firefox/Chrome updater.exe” that drops a Divine loader.
  3. Exploited CVEs:
    • CVE-2024-21412 (Windows SmartScreen bypass) used to drop DIVINE payloads from booby-trapped MSIX or .url files.
    • CVE-2023-34362 (MOVEit Transfer) leveraged to seed corporate networks.
  4. Supply-chain compromise of cracked software – Pirated Adobe & AutoCAD installers hosted on Discord CDN frequently include the Divine loader dubbed “divsetup.exe”.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    Block outbound TOR traffic unless there is an approved business need. Divine currently uses 3aqhk2k56xj7brn6sr5vgnnka566y2dbqkfv2aiqiyemkx2uc5pdhad.onion.
    Disable SMBv1/SMBv2 if not required; segment file servers with VLAN access-lists.
    Patch immediately: Exchange (ProxyNotShell), MOVEit (2023-06 updates), and Windows Defender SmartScreen patch (KB5034763).
    Enforce MFA on all RDP/SSH endpoints, use random, high-entropy passwords, and adopt a zero-trust network policy.
    Deploy application allow-listing via Microsoft Defender Application Control or AppLocker, blocking random executables in user-writable paths (e.g., %LOCALAPPDATA%\Temp\*).
    Backups: 3-2-1 rule (three copies, two media types, one off-site/off-line). Ensure Veeam/BackupExec jobs write to immutable storage (AWS S3 Object Lock, Linux chattr +i volumes).

2. Removal

  • Infection Cleanup:
  1. Disconnect affected machine(s) from the network immediately to prevent lateral spread.
  2. Boot into Safe Mode with Networking.
  3. Terminate active payloads:
    • Check %LOCALAPPDATA%\div32.exe or divsetup.exe, and svchost.exe instances launched from non-standard C:\Users\<user>\AppData.
  4. Remediate persistence:
    • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DivineMaintenance
    • Scheduled Tasks: Divine_Scheduler_Updater
  5. Run reputable offline scanners:
    • ESET Emergency Kit, Trend Micro Ransomware Remover, or Kaspersky Rescue Disk.
  6. Verify removal with PowerShell:

    Get-WmiObject Win32_Process | ?{$_.CommandLine -match 'divine'}
  7. Clear Shadow Copy abuse: Divine deletes Volume Shadow Copies using vssadmin delete shadows /all. Re-create them post-cleanup.

3. File Decryption & Recovery

  • Recovery Feasibility:
    As of 25 June 2024, private keys are not publicly available, so decryption without paying the ransom is impossible unless you possess an un-compromised offline backup.
    Two caveats:
    • The malware stores the encrypted AES keys locally, but they are wrapped by a per-victim RSA-2048 public key whose private half resides on the operator’s TOR server. No free decryptor exists.
    Salvageable data recovery: If the attackers used an in-place encryption routine rather than secure delete on the original file, partial carving with PhotoRec or R-Studio is worth attempting on non-SSD drives. Success rate is ≈ 10 %.

  • Essential Tools/Patches:

  • Microsoft KB5034763 (SmartScreen bypass fix)

  • MOVEit Transfer patch 2023.0.5 (or 2024.0.1)

  • Trend Micro RansomBuster (free) – real-time behavioural protection

  • Veeam Backup & Replication v12a with Immutability enabled

  • Emsisoft’s “Ransom-free” decryptor site – monitor for a Divine release.

4. Other Critical Information

  • Additional Precautions:

  • Self-elevation via COM Elevation Moniker – Divine uses CoGetObject + Elevation:Administrator!new: to bypass UAC silently once running under an admin token. Make sure UAC is at default or higher and disable the COM-based elevation shim with Group Policy.

  • Custom WMI event filter: Creates __EventFilter.Name = "DivEFilter" to re-infect on reboot if removed; look for it via Get-WmiObject __EventFilter.

  • Broader Impact:
    Divine’s authors are masquerading as the former “LockBitSupp” persona in underground forums, claiming responsibility for 108 nascent victims on their leak site (“divblog”.onion). 73 % of disclosed entities are located in manufacturing and engineering sectors throughout APAC and LATAM, suggesting a deliberate industrial espionage facet rather than pure monetary gain. Financial demands hover around 1.8–4.5 BTC (≈ US $110k–275k), and a secondary extortion channel threatens to publish sensitive CAD models. Target hardening for OT environments (e.g., Siemens TIA Portal, Schneider EcoStruxure) with network micro-segmentation is now high priority for affected verticals.