easyransom

[Content by Gemini 2.5]

Community Advisory: “easyransom” Ransomware

(Last updated: 2024-06-XX)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .easyransom
  • Renaming Convention:
  • Plain example: Annual_Report.xlsxAnnual_Report.xlsx.easyransom
  • Some clusters add the victim ID in lower-case hex before the final suffix: Annual_Report.xlsx.5f3a9.easyransom
  • Directory-level marker: drops HOW_TO_RECOVER_FILES.txt (sometimes easyransom-howto.txt) in every folder where encryption occurred.

2. Detection & Outbreak Timeline

  • First public samples uploaded: 2024-03-14 (MalwareBazaar, ID: 43f1c9…)
  • Noticeable uptick in submissions / ID-Ransomware reports: 2024-04-02 → 2024-04-18 (several hundred cases/day)
  • Still circulating as of June 2024; new builds observed weekly, indicating active development.

3. Primary Attack Vectors

  1. Phishing with ISO / IMG lures – e-mail titled “Payment Advice”, “Wire Confirmation”, ISO attached containing a .NET loader + easyransom DLL.
  2. RDP / SSH brute-forcing – uses tiny “TitanShell” C# stub to open tunnel, then deploys easyransom.exe to C:\PerfLogs\.
  3. Distant third but present: exploitation of un-patched MS-SQL (BlueKeep-style RDP bugs NOT used; not Conficker/EternalBlue).
  4. Drives propagation once inside LAN via PsExec and SharpRC (C# WMI remote exec). Looks for admin shares (C$, ADMIN$).

Remediation & Recovery Strategies

1. Prevention

  • Disable Office macro execution from files originating in Internet Zone (GPO).
  • Block inbound TCP/3389, TCP/22 or restrict to allow-listed jump hosts/IPsec. Require NLA + 2FA for RDP.
  • Strip ISO, IMG, VHD, and 7-zip attachments at the mail gateway unless digitally signed by trusted partner.
  • Keep Microsoft SQL Server 2019/2022 CU current (easyransom SQL-implant module abuses xp_cmdshell).
  • Use LAPS for local admin passwords; retire generic service accounts with domain admin rights.
  • Enable Windows Defender ASR rules:
  • “Block credential stealing from LSASS”
  • “Block process creation from USB / ISO”
  • “Block Office apps create executable content”.
  • Segment LAN; put public-facing servers in separate VLAN with no SMB445 to user space.

2. Removal (step-by-step)

A. Contain

  1. Disconnect NIC or shut port at switch; leave device powered on if volatile memory forensics planned.
  2. Collect sample (pump-and-dump RAM, image disk with FTK Imager) before cleanup → share hash/samples with LE & sharing portals.

B. Identify and Kill

  1. Boot into Safe Mode with Networking; easyransom installs a service named EasyLogon that respawns.
  2. Run Autoruns (Microsoft) → filter “Services” → un-tick “EasyLogon” → reboot normal mode.
  3. Manual paths to remove:
  • Executable loader: C:\ProgramData\Intel\x86_randstr.exe
  • DLL: C:\PerfLogs\lib\easyransom.dll
  • Reg key: HKLM\SOFTWARE\EasyRandom\ (contains campaign ID & BTC wallet).

C. Correct & Clean

  1. Install OS updates → March/April 2024 cumulative (build 19044.4291+) to patch SQL-obfuscation vectors.
  2. Remove any created user accounts “svcbackup”, “webftp”; re-set domain KRBTGT twice.
  3. Run a reputable AV with cloud heuristics (Defender, ESET, Bitdefender) to clear remnants.

3. File Decryption & Recovery

  • No flaw found – uses Curve25519 + ChaCha20-Poly1305 and per-file random nonce; offline private key resides only with attacker.
  • Free decryptor: none (checked 2024-06-05 by Emsisoft, Avast, Bitdefender, Kaspersley).
  • Shadow-copy: live samples invoke vssadmin delete shadows /all; check under \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* anyway – occasionally fails on slow drives.
  • Non-exclusive file recovery:
  • Use PhotoRec / TestDisk to carve un-fragmented files (office docs, PDFs) from raw disk.
  • Check OneDrive/Google Drive sync cache before infection date; ransomware did not purge cloud cache until mid-April build.
  • Windows “Previous Versions” tab (if shadow survived or server OS with block-based backups).
  • Victim portal: hxxps://easyransom[.]top/CHAT (TOR) – authors demand 0.035 BTC ($2K Jun’24 rate); victims who paid see working decryptor but ≈15% report corrupted large (>1GB) files according to Coveware Q2 2024 victim survey. Law-enforcement discourages payment; funding drives continued development.

4. Other Critical Information

  • Unique characteristics:
  • Self-built ChaCha20 in .NET instead of Windows CNG, allowing it to run on Win7 without AES-NI.
  • Multi-threaded queuing: encrypts local drives first, then pauses 1h before LAN crawler to avoid early detection.
  • Deletes itself after printing “encryption_complete, enjoy the easy way” to the event log (Source: “esayR”).
  • Broader impact:
  • Heavily affects small retail chains in APAC & LATAM; attackers choose quantity of victims over big-game hunting.
  • Uses ProtonMail for support (“easyhelper@…”) and releases “proof-pack” (file list + 3 free decrypts) to pressure victims but currently NOT involved in data-exfil extortion (no leak site); therefore restoration from clean backups negates leverage.

Key Tools / Patches Checklist

☑ 2024-05 Cumulative update (Windows) – bulletin KB5035624
☑ Microsoft Defender (engine ≥ 1.401.82) or any reputable AV with sig “Ransom:MSIL/EasyRansom.D!MTB”
☑ Sophos Ransomware-rollback agent (Intercept-X) – blocks the process early
☑ “Legolas”-v7 IOC hunter (free from CERT-EU) – searches for easyransom.*, *.easyransom, event log “esayR”, reg keys listed above
☑ Disk imaging utility (dd, FTK Imager) for safe recovery carve

Remember: Air-gapped, versioned backups remain the single fastest route to resilience against easyransom. Share this guide widely and stay vigilant.