drop

[Content by Gemini 2.5]

“.drop” Ransomware – Community Resource Sheet

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .drop
  • Renaming Convention:
  • Cleans original file name → [original_name].drop
  • No e-mail, user-ID, or random hex string is appended – the single 4-byte extension is the only change (this helps it hide in long directory listings).

2. Detection & Outbreak Timeline

  • First public appearances: mid-October 2018 (Michael Gillespie @demonslay335 and ID-Ransomware sightings).
  • Second, larger wave: March-May 2019 (Germany, Brazil, U.S. accounting firms).
  • Still circulating in 2024, albeit in low-volume, “shot-gun” spam waves rather than mass exploits.

3. Primary Attack Vectors

  • Phishing e-mails
    – ISO, RAR, or ZIP pretending to be invoice / FedEx / “Payment advice.”
    – Lures invoke Office-Macro or JS inside the archive.
  • Malvertising leading to Fallout / RIG exploit kit (2019 wave).
  • Brute-forced/publicly exposed RDP → manual drop of pon.exe / svchost.exe in %TEMP%.
  • No SMB/EternalBlue auto-spread – lateral movement relies on credential theft & PsExec once a foothold is won.

Remediation & Recovery Strategies

1. Prevention

Disable Office macros enterprise-wide; block macro files from the Internet at the e-mail gateway.
Filter e-mails containing ISO, IMG, RAR and “double-extension” (e.g., invoice.xls.js).
Close RDP from the Internet or enforce 2FA/VPN + rate-limiting + ‘Restricted Admin’ disabled.
Keep OS + browser + Office fully patched (EK waves used Flash & IE CVE-2018-8174).
Application whitelisting (WDAC / AppLocker) to stop the launcher (pon.exe, winserv.exe, svchostx32.exe, hashes change weekly).
Behaviour-based AV with “Ransomware Data Protection” enabled (built-in since Windows 10 1903) and honeypot canaries.
Back-ups = 3-2-1 rule – at least one copy off-line/off-site with credentials separated from production domain.

2. Removal

  1. Physically isolate the box (pull Ethernet / disable Wi-Fi).
  2. Collect a memory image if you need forensic attribution.
  3. Power on into Safe Mode with Networking or boot a recovery USB.
  4. Run a reputable remediator:
  • Malwarebytes 4.x → “Scan + Quarantine” (detected as Ransom.Drop, Ransom.CryMore, or Trojan.Crypto).
  • ESET Online Scanner / Kaspersky Virus Removal Tool – will find the same payload.
  1. Inspect auto-run locations:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    normal entry name: Windows_Security%TEMP%\svchostx32.exe
  2. Delete the dropped binaries and the scheduled task “WindowsSecurity” that re-launches the EXE every 15 min.
  3. Clear Volume Shadow copies only after verifying the decryptor works or you have a working backup, else leave them intact.

3. File Decryption & Recovery

  • Recovery Feasibility: Files encrypted by .drop (CryMore/Amnesia-family) used OFFLINE static keys for the first six months of the campaign.
  • Decryptor Available: YES – Emsisoft released a free decryptor (v1.0.0.4) in Dec-2018, still maintained.
    – Get it here: https://www.emsisoft.com/ransomware-decryption-tools/amnesia2
    – Run it on a copy of encrypted data; it needs one intact un-encrypted file >8 kB to rebuild the key.
  • If your infection occurred after May-2019 the gang switched to online session keys – in that case the free decryptor will NOT work; your choices are:
    – Restore from back-ups;
    – Look for 3rd-party decrypt negotiations services (no guarantee – assess legal/payment risk);
    – Wait (never pay the full demand immediately – the e-mail address in the ransom note ([email protected]) is usually deactivated within weeks).

4. Other Critical Information

  • Ransom note filename: HOW_TO_RECOVER_ENCRYPTED_FILES.txt (also dropped to every folder).
  • BTC wallet and price are hard-coded (usually 0.12–0.18 BTC) – no user-ID, so they rely on you mailing them the timestamp of payment.
  • Uses AES-256 in CBC mode with a random 256-bit key per file; that key is RSA-2048-encrypted with the attacker’s public key; hence off-line brute-forcing is impossible once online keys are used.
  • Distinctive trait: Does NOT change desktop wallpaper; only the ubiquitous *.txt note. Many admins miss the first infections because no obvious cosmetic change occurs.
  • Because the malware preserves but renames original data, forensic carving tools (PhotoRec, Scalpel) rarely help – the clusters are already overwritten by encrypted content.
  • Segment-of-one impact: primarily small accounting/fitness/medical offices (<50 seats). No observed data leak site – no evidence of exfiltration before encryption, so breach-disclosure laws may not apply, but assume the worst until proven otherwise.

TL;DR Cheat-Sheet

  1. Isolate – run Malwarebytes / ESET – kill the Run key.
  2. Try the Emsisoft Amnesia2 decryptor immediately (works for pre-May-2019 variants).
  3. No decryptor? Restore from off-line back-ups or risk-free 3-2-1 copies.
  4. Harden: block macros, spam filters for ISO/RAR, close RDP, patch Flash/IE, MFA everything, test restore nightly.

Stay safe, patch early, and keep an offline backup – the only sure antibody to .drop.