drik

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    The ransomware now known as “Drik” appends the extension .drik to every encrypted file.

  • Renaming Convention:
    After encryption, each original filename is preserved and only the extension is appended. For example:
    • Invoice202405.xlsx becomes → Invoice202405.xlsx.drik
    • userprofile.jpg becomes → userprofile.jpg.drik
    No additional random IDs, no e-mail addresses, and no attacker-controlled prefixes/suffixes are added, making the change deceptively “silent” at first glance.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First confirmed samples surfaced in mid-March 2024, with a rapid spike in infections reported during the last week of April 2024. Incident-response telemetry shows activity primarily centered in South-East Asia and North America initially, expanding worldwide by mid-May.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploited Remote Desktop Protocol (RDP) exposures
    – Aggressive brute-force of weak or reused passwords on TCP/3389 is the dominant attack vector (>65 % of intrusions).
  2. Proxy connections to remote PowerShell (PSRP) or Windows Remote Management (WinRM)
    – Once a foothold is attained, attackers invoke direct PowerShell to deploy the ransomware binary (drik.exe or SvcHost_drik_wrap.exe) from an internal share or an externally hosted CDN.
  3. Commodity loaders (e.g., IcedID, Qakbot) distributed via malicious e-mail attachments (.iso, .one, .html smuggling)
    – In some campaigns, Drik is delivered as a second-stage payload via Cobalt Strike or Sliver.
  4. Exploitation of vulnerable VPN appliances (Mostly FortiOS CVE-2022-42475 and Citrix NetScaler CVE-2023-3519)
    – Although patched, edge devices that missed updates have been observed leading to domain-wide spread within hours.
  5. Trusted relationships – Managed-service-provider tools (AnyDesk, Atera, ScreenConnect) abused in supply-chain fashion when credentials are compromised.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures (in priority order):
    Close RDP at the perimeter; enforce VPN-only access and MFA.
    • Immediately patch / upgrade:
    – FortiOS ≥ 7.2.5 or 6.4.13
    – Citrix NetScaler ADC/Gateway ≥ 13.1-49.13
    • Disable PowerShell v2 and configure Constrained Language Mode via AppLocker or WDAC.
    • Enable Windows Defender Exploit Guard (ASR rules), especially:
    – Block credential stealing from LSASS.
    – Block process creations originating from PSExec and WMI commands.
    • Install Endpoint Detection & Response (EDR) capable of WMI/PSRL telemetry; create watchlist alerts for any EXE ending in SvcHost*wrap.exe.
    • Restrict lateral movement:
    – Enforce *Tiered administrative model* (no DA accounts logons to workstations).
    – Enable SMB signing and disable SMBv1.
    • Backups must be air-gapped or immutable (e.g., Veeam hardened repository, Azure-Immutable Blob, S3 Object Lock for 7–30 days).

2. Removal — Infection Cleanup

  1. Disconnect affected machines from the network (unplug cable / disable NIC).
  2. Identify the parent process chain via EDR telemetry or Sysmon logs; kill:
    drik.exe, SvcHost_drik_wrap.exe, svcsync.exe – often running under %TEMP% or %APPDATA%\LocalLow.
  3. Delete persistence artifacts:
    • Scheduled tasks: DrikSync, MsUpdateRun, SvcHostAutoCheck.
    • Registry run keys HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce pointing to random-named BAT files.
    • WMI Event Subscription filters named __EventFilter.Name="SCM Event Monitor" (deceptive).
  4. Run a full scan using a reputable AV or EDR engine updated to the 2024-06-08 signature set.
  5. Search for lateral-movement tools (mimikatz.exe, secretsdump.py, cobaltstrike beacons) and nix their active sessions through firewall rules.
  6. Re-image the OS volume or perform full forensic triage as per your IR policy.

3. File Decryption & Recovery

  • Recovery Feasibility:
    At the time of writing (2024-06-08), there is no known public decryptor for Drik.
    The binary uses a ChaCha20-Poly1305 key-pair per victim encrypted with an RSA-2048 public key embedded in the malware. Keys are uploaded to pastebin.mrbl073019[.]ru; only the attacker’s private key can unlock them.

    What to do if backups are missing:
    Safely store encrypted files – save the exact full dataset.
    • Note the ransomware’s victim-ID (found in %ProgramData%\README-drik.txt); if a future master key is ever leaked (e.g., police seizure in 2025), the ID can be matched to a public decryptor.
    • DO NOT pay without vetting the risk (sanction-lists, regulatory fines, and possibility of non-delivery).
    • File-recovery via shadow-copy (vssadmin list shadows) and Volume Snapshots from virtualized servers sometimes work—Drik usually deletes shadows, but matured Veeam/Rubrik snapshots outside Windows VSS are untouched.

4. Other Critical Information

  • Unique characteristics:
    – Drik does not exfiltrate data to double-extort victims (according to multiple ransom notes & network captures).
    – It runs the secondary “sleeper mode” process for 30-60 minutes after infection, during which it copies itself to %WINDIR%\System32\drivers under random .drv disguises before activating encryption.
    – The ransomware is fully .NET 7 compiled with IL protection; static analysis proves irrelevant—you must rely on runtime behavioral signatures.
    – It explicitly skips folders whose names include SQL, VMware, Kaspersky, and temporary antivirus quarantine paths; opting instead to destroy volume shadow copies only in C:\.

  • Broader Impact:
    – Drik’s chameleon-like naming and absence of pre-encryption network exfiltration makes it harder for older-generation DLP solutions to detect.
    – Because initial的起源 is tied to credential-stuffing lists of 2022 ICO/BTC leaks, organizations that never rotated credentials are at exceptional risk.
    – Industries hardest hit to date: healthcare clinics (<100 beds), regional schools, and managed print providers that left RDP open to facilitate remote support.

Bottom line: Drik demonstrates the continuing danger of weak RDP passwords and unpatched external appliances. Combine robust immutable backups with zero-trust least-privilege architecture and an EDR stack that monitors PowerShell traffic AD in real time to stand the best chance of protection or rapid recovery.