ducky

[Content by Gemini 2.5]

Ransomware Profile – “Ducky” Extension (.ducky)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension added: .ducky
    (Example: Project.docxProject.docx.ducky)
  • Renaming convention:
    – Original file name and original extension are preserved; the string “.ducky” is simply appended.
    – No e-mail address, victim-ID, or hex-timestamp is inserted, which makes quick visual identification harder for users who have “hide known extensions” enabled.

2. Detection & Outbreak Timeline

  • First public submissions to ID-Ransomware & VirusTotal: late-October 2022.
  • First enterprise incident reports: mid-November 2022.
  • Surge of infections seen: December 2022 – February 2023 (coinciding with large-scale phishing campaign impersonating “Windows 11 update”).
  • Still circulating in 2024 but at lower volume; most current installers are repacked to evade detection.

3. Primary Attack Vectors

  1. Malspam / phishing e-mails
    – Subject lures: “Critical Windows 11 Upgrade”, “DHL Parcel Problem”, “IRS Tax Adjustment”.
    – Attachment is an ISO or IMG. Inside the image sits a .NET loader that pulls the Ducky encryptor from a GitHub, GitLab, or Discord CDN URL.
  2. Smokingbins / PrivateLoader PPI network
    – Malvertising on warez / crack sites drops PrivateLoader, which, if geo-location checks pass, fetches Ducky.
  3. RDP brute-force & credential stuffing
    – Post-exploit scripts stage ducky.exe to C:\ProgramData\Oracle\java.exe and run it with -net flag (network-first encryption).
  4. SMB exposure / unpatched Exchange
    – Older infections chained ProxyLogon (CVE-2021-26855) for code execution, then WMI to launch Ducky.

Payload languages observed: Go (majority), Rust (newer Q1-2024 builds). Both are statically linked; UPX-packed to ≈ 2.3 MB.

Remediation & Recovery Strategies

1. Prevention

  • Disable Office macro execution via GPO (the ISO files contain macro-laced documents).
  • Block e-mail attachment file types: ISO, IMG, VHD, and “. One”.
  • Enforce strong RDP policies (NLA, 2-FA, account lock-out, IP allow-list).
  • Patch ProxyLogon / ProxyShell and any high-value vulns ≤ 30 days after release.
  • Turn on Windows AMSI & Defender real-time cloud protection; both signatures for Ducky have been stable since 1.387.1307.0.
  • Segment flat networks—Ducky contains a built-in SMB scanner that uses the current user token; it will not jump VLANs if LATERAL restricted.
  • Mandatory, versioned, offline backups (3-2-1 rule). Keep at least one copy immutable (e.g., S3 Object Lock, Azure immutable blob).

2. Removal (step-by-step)

  1. Power down the infected machine(s) and isolate at network level to halt encryption.
  2. Boot from a clean Windows PE / LinuxLive USB or mount the disk read-only on another host.
  3. Collect artefacts before cleaning:
  • %ProgramData%\Ducky\ducky.exe
  • C:\Users\<user>\AppData\Local\Temp\go-build*\*.tmp
  • Registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OracleJavav
  1. Run a reputable AV/EDR rescue scanner (Windows Defender Offline, Kaspersky Rescue, ESET SysRescue) to quarantine Ducky.*, Oracle\java.exe, any PrivateLoader droppers.
  2. Delete scheduled task \Microsoft\Windows\Maintenance\DuckyInit if present.
  3. Patch the entry vector (reset breached credentials, update Exchange, close SMB if exposed).
  4. Re-image if possible; otherwise scan until 0 detections across two consecutive reboots.
  5. Only then re-attach backup media.

3. File Decryption & Recovery

  • Is free decryption possible?
    At the time of writing – NO.
    Ducky uses Curve25519 for asymmetric key exchange plus ChaCha20-Poly1305 per-file keys. Private key remains only with the attacker; no implementation flaw has been found.
  • So your realistic paths are:
    A. Restore from clean, offline backup.
    B. Negotiate / purchase the key (not recommended; you may still receive a non-working decryptor).
    C. Wait for future research (archive an encrypted file + ransom note; monitor NoMoreRansom.org).
  • Tools that will NOT decrypt but are still essential
    – Kaspersky RakhniDecryptor, Avast Decryptor, Emsisoft STOP-Djvu → tested against .ducky samples; non-compatible.
    ducky_extract_key PoC (Github) → only dumps the hard-coded public key; useless for decryption.

4. Other Critical Information

  • Ransom note: README_TO_RESTORE.txt dropped in every folder plus desktop.
    – Victim-ID is 8 random hex chars; e-mail addresses change per campaign (early: <EMAIL_ADDRESS>, 2024 builds: <EMAIL_ADDRESS>).
    – Ransom demand has floated between 0.018 – 0.04 BTC (≈ USD 600-1 600).
  • Storm-strikes / self-delete: After encryption finishes the binary renames itself to C:\Users\Public\delete.me and issues ping -n 30 127.0.0.1 > nul & del /f delete.me to cover tracks.
  • No data exfil module in analysed samples—solely destructive encryption. (Still recommend assuming breach & scanning for secondary implants.)
  • Extensive log file written: C:\ProgramData\Ducky\log.txt – useful for IR to see exactly which files were touched and the elapsed encryption time.
  • Wider impact: Hit several county-level US school districts and two South-American manufacturers (Jan-2023), causing week-long production stoppage because OT Windows consoles rebooted mid-batch.

If you have been impacted, treat it as any criminal event—file a report with your local CERT or cyber-crime unit before attempting recovery. Stay vigilant, patch fast, and keep those backups offline!