Ransomware Quick Reference – File Extension `.dqb` (Dharma / CrySiS off-shoot)

Technical Breakdown:

Confirmation of File Extension: .dqb is appended after the original extension, not in place of it.
Renaming Convention:
original-file.ext.id-<RANDOM-ID>.[attackers-email].dqb
Example: Quarterly-Report.xlsx.id-7E5E3AFB.[[email protected]].dqb

Approximate Start Date/Period: First clusters observed mid-August 2020, peaking September-October 2020. Sporadic waves have resurfaced roughly every 6-9 months since; the most recent sustained activity was logged in March 2024.

RDP brute-force / credential stuffing → manual deployment (main driver).
Compromised VPN appliances (Pulse, Citrix, Fortinet) providing direct RDP / SMB exposure.
Exploitation chains inside lateral-movement scripts leveraging:
• CVE-2020-1472 (Zerologon)
• CVE-2019-19781 (Citrix ADC)
• EternalBlue when SMBv1 is still live.
Malicious email attachments (ISO, ZIP → MSI, EXE, BAT) acting as downloaders.
Pirated software (key-gens, cracks) bundling the ransomware dropper.

Proactive Measures:
• Disable SMBv1 via GPO and registry.
• Harden RDP: restrict to VPN / jump hosts, MFA, rate-limiting, blocking TCP 3389 from WAN unless necessary.
• Patch Zerologon, Citrix, Fortinet, VPN & OS monthly.
• Windows Remote Credential Guard or NLA to eliminate password spraying.
• Local admin rights removed for standard users; use tiered service accounts.
• EDR / Next-gen AV with Behavioral-based detection for “ransomware.mdmp” & “boot-to-safe-mode script” heuristics.
• Immutable/cloud-based backups with 3-2-1 rule and tested restore drills.

Isolate the host(s) from the network—pull cable/disable Wi-Fi and disable VLAN interfaces.
Identify persistence:
• Scheduled task named “%AppData%\Microsoft\Windows\winhost.exe” or random 8-char string under SysWOW64.
• Registry Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) pointing to info.hta (ransom note dropper).
Perform a full boot-time scan with Emsisoft Emergency Kit, Malwarebytes, or Sophos Scan & Clean (their signatures detect the Dharma parent family).
If manual is required:
• Kill the associated winhost.exe process → delete its file.
• Remove scheduled task via schtasks /delete /tn <taskname> /f.
• Delete registry “Run” value.
Reboot into Safe-Mode-Networking-disabled and repeat scan to confirm eradication.
Clean or rebuild only after wiping shadow copies (vssadmin delete shadows /all done by ransomware anyway) and verifying no re-infection paths exist.

Recovery Feasibility (Sept 2020 – Dec 2021):
Yes – Emsisoft released a free decryptor covering the Dharma/CrySiS v2 and v3 variants that used the .dqb extension. Victims still need an intact pair (one encrypted file + its original unencrypted copy from backup or email/input dir).
Current Status (2022-2024):
Newer .dqb waves shifted keys; decryptor no longer applies. Recovery now depends solely on offline backups, Shadow-Copy deletion check (sometimes skipped in newer scripts), or potential file-carving tools for mild damage.
Essential Tools/Patches:

Emsisoft Decryptor (archive copy here → must verify hash before use).
Trend Micro “Ransomware File Decryptor” (handles older vcrypt files—now deprecated).
Windows KB5004945 (July 2021 Zerologon).
Cumulative Security Update for Windows (EternalBlue MS17-010 repeat).
Backup Validation: Veeam Community Edition, Acronis Cyber Protect Cloud immutable vault.

Unique Characteristics:
• Drops two ransom notes: info.hta (rich HTML note) and README.txt.
• Deletes Volume Shadow Copies using WMIC (ensures wmic shadowcopy delete).
• No data-exfiltration module observed, so victim notification letters typically rely solely on file encryption leverage.
• Uses hybrid AES + RSA; attackers retain private key on C2.
Wider Impact / Notable Incidents:
2020 hit a 500-employee U.S. law firm—forced 4-day shutdown and pre-trial data scrambling.
2023 South-Korean parts supplier wave exploited FortiGate VPN zero-day, cascading to automotive OEM partners; downtime estimated 6.2 million USD.