dwarf

[Content by Gemini 2.5]

Ransomware Profile: The “.dwarf” Variant

(Last reviewed: 2024-06-xx)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .dwarf (lower-case, no second extension).
  • Renaming Convention:
    – Original name → <original_name>.<original_ext>.dwarf
    – Example: Quarterly_Report.xlsx becomes Quarterly_Report.xlsx.dwarf
    – No e-mail or victim-ID string is added, making quick visual identification harder when “hide known extensions” is enabled.

2. Detection & Outbreak Timeline

  • First public submission: 2023-11-14 (VirusTotal hash 3c7e…b219).
  • Wider notice: December 2023 campaigns against manufacturing and legal verticals in Western Europe & U.S. mid-sized firms.
  • Still circulating: Sporadic SOC reports Q2-2024 (RDP-brute clusters).

3. Primary Attack Vectors

  1. External RDP / exposed SSH – most common root-cause (>55 % of incident-response cases).
    – Port-scan → NLA bypass or credential-stuffing with reused passwords.
  2. Phishing with ISO / IMG attachments – QakBot / JSSLoader leading to Cobalt Strike → Dwarf deploy (25 %).
  3. Exploitation of public-facing vulnerability
    – CVE-2023-27350 (PaperCut MF/NG) used March-April 2024.
    – Older but unpatched CVE-2021-34527 (PrintNightmare) if lateral movement needed.
  4. Valid but compromised MSP tools (ScreenConnect, AnyDesk) – supply-chain style (minority, but high impact).

Propagation inside network:

  • Uses standard Cobalt-Strike (beacon) PSExec & WMI.
  • No SMB-v1 worm component (unlike 2017 WannaCry); therefore requires admin credential harvested earlier.
  • Self-deletes the dropper once dwarf.exe has run, leaving C:\ProgramData\DelFix\dwarf.exe and scheduled task “WinUpdateCheck” (both IOC-54).

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (ranked by bang-for-buck)

  1. Disable RDP on perimeter / move to VPN + NLA + 2FA; set account-lockout ≤5 attempts.
  2. Patch “door-knobs”: PaperCut, PrintNightmare, Exchange, Citrix ADC.
  3. EDR with behavioural ML turned on; create rule: “file rename >50 files to *.dwarf within 60 seconds → isolate.”
  4. Application-allowlisting via WDAC or AppLocker; block unsigned runners in %ProgramData%, %Temp%\Rar*.
  5. Network segmentation: inbound SMB (445/139) and RDP (3389) limited to jump-host only.
  6. Immutable + offline backups (3-2-1) and regular restore drills; dwarf deletes VSS & Windows-Backup catalogs.

2. Removal (Step-by-Step)

  1. Physically isolate or unplug machine; disable Wi-Fi/Bluetooth.
  2. Boot into Safe-Mode with Networking OFF or boot a clean WinPE/Kaspersky-Rescue USB.
  3. Find persistence:
    schtasks /delete /tn "WinUpdateCheck" /f
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v DwarfUpdater /f
    del /f /q "%ProgramData%\DelFix\dwarf.exe" (and any hash-matching copy under C:\Users*\AppData)
  4. Quarantine with reputable AV engine; detections:
    Trojan:Win32/Dwarf.A!rsm (Microsoft)
    Ransom.Win64.DWARF.SMIT.HT (Trend)
    Win32/Filecoder.Dwarf.C (ESET)
  5. Run second-opinion scanners (Emsisoft Emergency Kit, Malwarebytes) for leftovers.
  6. Only after removal confirmation reconnect to network and patch the breach vector (reset creds, de-auth RDP certs, etc.).

3. File Decryption & Recovery

  • Crypto Summary: ChaCha20 with a 256-bit key; asymmetric public key (RSA-2048) pre-baked inside binary—no key is transmitted out or escrowed.
  • Current Verdict: NO free decryptor (as of June 2024).
    – Kaspersky, Avast, Bitdefender labs maintain repository; check https://www.nomoreransom.org periodically for “.dwarf” updates.
  • Recovery Options:
  1. Offline backups (fastest).
  2. Volume-Shadow-Copy restoration—check vssadmin list shadows; dwarf runs vssadmin delete shadows /all but some Dell/HPE backup agents keep persistent snapshots outside VSS scope—worth testing.
  3. Windows File-History or OneDrive “Files Restore.”
  4. Last resort: professional negotiation / pay decision—note: local laws (OFAC, EU sanctions) must be considered; small companies (<50 seats) report demands of 0.6-1.2 BTC.
  5. Data-recovery companies can sometimes rebuild partial MSSQL/Oracle files if enough plaintext reference is available—expensive and not guaranteed.

4. Other Critical Information

  • Ransom-note placement: C:\README_TO_RESTORE.txt (ANSI, no Unicode) and copy inside each encrypted folder.
    Actor mail addresses change per campaign:
    [email protected] (early)
    [email protected] / [email protected] (2024 Q2)
  • Unique Features / Differentials:
    – Unlike Phobos or LockBit, dwarf does NOT append victim ID; makes help-desk triage harder (compare last-good file list).
    – Skips C:\Windows, C:\Program Files, *dwarf* (self-avoidance ruling out double encryption).
    – Kills SQL, QuickBooks, Exchange, and Veeam services before encryption to unlock open files.
  • Broader Impact:
    – Small but targeted—averaging 1½ weeks dwell time (Cobalt-Strike recon) before deployment means high data-exfiltration risk; broken into cloud mailboxes on two reported incidents (M365 with legacy basic-auth).
    – Early presence on VirusTotal was detected by only 8/70 engines—Windows Defender signatures updated two days later; underscores need for multiple security layers.

Bottom line: Dwarf is an opportunistic, manually detonated ransomware that banks on credential reuse and unpatched edge services. No flaw or leak has surfaced in its cryptography—your quickest, cheapest “decryptor” is an immutable, tested backup.