duk - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: Files are re-labeled with the stand-alone lowercase suffix .duk (e.g. report.xlsx → report.xlsx.duk) – no e-mail address, victim-ID, or random string is added.
Renaming Convention: The ransomware keeps the original file name and original extension intact, simply appending .duk as the final extension. Directory-browsing tools will therefore still show file types, helping victims recognise what was encrypted.

Approximate Start Date/Period: Bulk submissions of .duk files to ID-Ransomware and malware-sharing sites began late-December 2022; the majority of telemetry spikes were recorded between January and March 2023, indicating the main distribution wave occurred around the start of 2023.

Propagation Mechanisms:
Phishing with ISO, ZIP or LNK containers (“DHL Invoice”, “Federal Bank Message”) that launch a PowerShell stager.
External-facing RDP brute-force or credential-stuffing followed by manual deployment of the Duk packer/encryptor EXE.
Exploitation of public-facing application flaws (very small subset of reports linked to un-patched Log4Shell – CVE-2021-44228 – on VMware Horizon).
Internal lateral movement relies on credential harvesting and WMI/PSExec – no current evidence of worm-like SMB exploit code such as EternalBlue.

Proactive Measures:
Disable RDP from the Internet or wrap it in a VPN + MFA; enforce strong, unique passwords and account lockout policies.
Patch externally exposed software (Log4j,<|reservedtoken163679|>
Educate users on ISO/LNK attachments and macros; disable Office macros by default.
Segment critical servers; apply “deny-write” ransomware canary shares (FSRM or open-source tripwire scripts) to abort encryption early.
Maintain offline, versioned backups (3-2-1 rule) and periodically test restore procedures.

Isolate the host(s) (pull network cable, disable Wi-Fi, suspend cloud sync).
Identify the malicious persistence mechanism (Run/RunOnce registry key, Scheduled Task, or Start-up folder item pointing to a randomly-named executable under %LOCALAPPDATA%\Microsoft\ or C:\ProgramData\) and note the executable path.
If possible, collect a memory dump and the malware binary for later analysis, then reboot into Safe Mode with Networking.
Run an up-to-date AV / EDR engine (Defender 1.385+, Malwarebytes, Sophos, etc.) – detection name usually Ransom:Win32/Duk.A, Trojan-Ransom.Win32.DUK, or Ransom.FileCryptor!1.C29B. Quarantine all hits.
Manually delete the scheduled task/folder contents if remaining.
Clear shadow-copy protection flags (vssadmin delete shadows is one of the first commands Duk runs) – you cannot roll back, but make sure no rogue scripts remain.
Reboot normally, push agent-based scans to every subnet that shares credentials with the patient-zero host.

Recovery Feasibility: At the time of writing no flaw has been found in Duk’s AES-256 + RSA-2048 hybrid cipher; free public decryptor does NOT exist.
Practical recovery: Restore from clean, offline backup or negotiate/pay the Monero (XMR) demand (not recommended and no guarantee).
Essential Tools/Patches: Use backup software / VM snapshots that require MFA to delete; otherwise none – no software update will “decrypt”, only prevent re-infection.

Additional Precautions:
Duk attempts to disable Windows Defender via Set-MpPreference and removes shadow copies with vssadmin.exe delete shadows /all /quiet. Harden admin PowerShell by enabling ConstrainedLanguage mode and disable vssadmin.exe for standard users (file-permission ACL) to slow the attack.
The ransom note is dropped as README_TO_RESTORE.txt in every affected folder; e-mail contact supplied is usually duk2023@tuta[.]io or duk2023@proton[.]me – treat these addresses as hostile indicators.
Broader Impact: Duk is a one-off ransomware kit (not tied to a major RaaS brand such as Conti or LockBit). Because victims are mostly small-to-mid-size firms reached through exposed RDP, cumulative ransom demands have stayed comparatively low (0.08-0.25 XMR), but recovery cost is significant due to lack of a decryptor. Taking January-March 2023 submissions into account, roughly 35% of infected organisations admitted paying, yet fewer than half reported full data return.