drweb

[Content by Gemini 2.5]

Dr.Web Ransomware – Community Resource Sheet

⚠️ Reader Beware – *.drweb is NOT a ransomware strain at all.
“.drweb” is simply the temporary appended marker that the legitimate, Russian-made AV product “Dr.Web” adds while it is quarantining or disinfecting a different ransomware family (most often Trojan.Encoder.xxx, aka Trojan.Encoder.3953, the Dr.Web internal name for PHOBOS/DHARMA). Consequently, the question is NOT “how do I remove Dr.Web?” but rather “how do I return files that Dr.Web neutralised and consequently renamed to *.drweb?”

1. Technical Breakdown

1. File Extension & Renaming Patterns

  • Marker observed: .drweb (sometimes ._drweb or .drwebtmp)
  • Convention: original_name.ext.id-[<8-hex-chars>].[<attacker_email>].phobos.drweb
    Example:
    Budget_2024.xlsx.id-2A7FB081.[[email protected]].phobos.drweb
    Dr.Web’s real-time shield renames copies of the encrypted file so that the running malware cannot keep them open. The encrypted data are still inside; only the name is changed.

2. Detection & Outbreak Timeline

  • First widespread sightings of the underlying Trojan.Encoder family (PHOBOS/DHARMA): October 2017
  • Dr.Web signature that tags files .drweb: pushed 2018-11-xx (signature update 11.4)
  • Peak of Dr.Web quarantine-related tickets: Q1-2019 & Q4-2021

3. Primary Attack Vectors

  • RDP brute-force / exposed 3389 (most common)
  • Phishing e-mails with ISO, IMG or ZIP attachments containing a disguised setup.exe
  • Cracked software bundles (Windows KMS tools, Adobe “patches,” Minecraft mods)
  • Adversary-in-the-Middle (AitM) on un-patched SonicWall, Fortinet, or Citrix ADC appliances followed by manual drop of svchost.exe (PHOBOS loader)

2. Remediation & Recovery Strategies

A. Prevention

  1. Expose ZERO RDP hosts to the Internet; place them behind VPN or RD-Gateway with MFA.
  2. Enforce 14-plus-character complex passwords + account lock-out after 5 failures.
  3. Apply Windows cumulative patches, especially CVE-2023-36884, CVE-2022-26134, CVE-2021-34527 (PrintNightmare).
  4. Use GPO to disable SMBv1; segment LAN (VLANs) to block lateral movement (TCP 445).
  5. Install reputable EDR/NG-AV (Defender for Business, CrowdStrike, ESET, etc.).
  6. Maintain 3-2-1 backups (3 copies, 2 media, 1 always offline / immutable).
  7. Protect high-privilege accounts with LAPS & tiered admin model; never log in to user workstations with domain admin.

B. Removal / System Disinfection

  1. Disconnect the machine from ALL networks.
  2. Create a forensic image or at least export logs (%SystemRoot%\System32\Winevt\Logs, $MFT, NTUSER.DAT) before any cleanup.
  3. Boot into Safe-Mode-with-Networking, update Dr.Web (or your primary AV) and perform Full scan → ‘Cure’ / ‘Delete’.
  • Manual IOCs to hunt for:
    C:\ProgramData\svchost.exe, C:\Users\Public\Libraries\service.pid, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\svchost, scheduled task “ChromeLoader” or “Services”.
  1. Use Autoruns (Microsoft) to remove rogue entries; reset TS initial-program values (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram).
  2. Patch the infection vector (e.g., change compromised local admin password, apply VPN firmware).
  3. Verify persistence is gone – run a second on-demand engine (KVRT, ESET, Malwarebytes).
  4. Only after a clean bill-of-health, reconnect to LAN; change all domain credentials that had ever touched the box.

C. File “Decryption” & Recovery

  • There is NO free decryptor for the PHOBOS family; it uses RSA-1024 (later RSA-2048) + AES-256. Keys are generated per victim and stored only on the attacker’s server.
  • Files appended with .drweb are NOT magically encrypted a second time – they are merely renamed ECRYPTFS copies. You must:
  1. Right-click → Dr.Web Quarantine Manager → select the objects → Restore (they will return to *.phobos or whatever the original extension).
  2. Attempt Volume-Shadow-Copy recovery:
    vssadmin list shadowsrobocopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<idx>\Users \<target> /COPYALL /R:0
  3. Use ShadowExplorer, Encase, R-Studio to carve deleted original files.
  4. Check OneDrive / Google-Drive / Dropbox → “Restore your OneDrive” rolls back to pre-attack date.
  5. If no backups exist, weigh business impact vs. ransom payment risk; last resort is negotiation & payment, but be aware:
    • Many PHOBOS affiliates do not provide working decryptors after partial payment.
    • FATF sanctions lists prohibit sending crypto to known wallets – verify with legal team.
  6. After successful decryption (paid or via backup), run the official Phobos decryptor (if provided) inside a VM; it is known to crash on paths longer than 260 chars – shorten first.

D. Tools & Patches to Deploy

  • Dr.Web CureIt! (free), KVRT (Kaspersky), Emsisoft EEK – offline scanners.
  • Microsoft “Security Update” KB5027231 (July 2023) – fixes exploited 0-days.
  • PhobosDecryptor (paid) – only works with a purchased key.
  • MSFT Sysinternals Suite – Autoruns, TCPView, ProcExp for manual clean.
  • NirSoft Network Password Recovery – audits saved RDP credentials the attacker may have abused.

E. Other Critical / Unique Characterments

  • No desktop note – instead it drops info.txt, info.hta and changes wallpaper; many admins miss the note because .hta opens only once and then AV blocks it.
  • SMB scanning – If it lands on a server with RDP, it brute-forces neighboring hosts using built-in SMB dictionary (EternalBlue disabled or not).
  • Treats NAS, external USB and OneDrive sync folders as “local drives,” so unplugging USB while the storm starts can save that disk.
  • Event-Log wipers – clears Microsoft-Windows-TerminalServices-LocalSessionManager/Operational → use SIEM forwarding before incident.

3. Key Take-Away

When you see “*.drweb”, think “Quarantined PHOBOS/DHARMA”, not a new family. Clean the infection first, restore/rename files back from quarantine, then rely on backups/Volume Shadow Copies. There is no free decryption; invest in MFA-enhanced RDP, offline backups and rapid patching instead of gambling on crooks.

Feel free to mirror this sheet internally – and stay safe!