ebaka

[Content by Gemini 2.5]

ebaka Ransomware – Community Resource Sheet

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .ebaka (lowercase)
  • Renaming Convention:
    – Original filename → <original_name>.<original_ext>.ebaka
    – Example: Invoice_05_2024.xlsx becomes Invoice_05_2024.xlsx.ebaka
    – No e-mail or ID string is inserted, so every victim sees the identical pattern.

2. Detection & Outbreak Timeline

  • First public submission: 2024-02-13 (VirusTotal)
  • First large-scale forum reports: 2024-03-02 (South-Korea & U.S. MSPs)
  • Peak activity window: 2024-03-05 through 2024-03-20 (still fluctuating).

3. Primary Attack Vectors

  • Exploitation of vulnerable ScreenConnect servers (CVE-2024-1709 & CVE-2024-1708) – used to drop first-stage PowerShell loader.
  • Phishing with OneNote or PDF attachments containing obfuscated .wsf or .js that retrieve the second-stage DLL.
  • RDP brute-force / credential stuffing followed by manual deployment of ebaka.exe.
  • Malvertising pushing fake “Chrome / Notepad++” updates that side-load the DLL.
  • No current evidence of worm-like SMB/EternalBlue propagation – lateral movement is performed with living-off-the-land tools (WMI, PsExec, PowerShell remoting).

Remediation & Recovery Strategies

1. Prevention (short checklist)

☐ Patch ScreenConnect (or simply remove from edge if unused).
☐ Disable RDP on perimeter or enforce VPN + MFA + account lockout.
☐ Strip Microsoft OneNote “file-embedding” capability via GPO (KB5025305).
☐ Enforce Windows AMSI & Defender real-time; add ASR rule “BlockOfficeChildProcess”.
☐ Application whitelisting (WDAC/AppLocker) – block unsigned .exe/.ps1/.dll in %temp%.
☐ 3-2-1 backups (offline, immutable, tested).
☐ Deploy Canary-token files in key shares – trigger alert on mass rename.

2. Removal / Containment (step-by-step)

  1. Power-off network segment; collect triage image if investigation required.
  2. Boot a clean Windows PE / Linux live USB → copy uninfected data before cleanup.
  3. From Safe Mode with Networking:
    a. Identify the offending process (parent of ebaka.exe is often powershell.exe or cmd.exe with -enc).
    b. Terminate and delete the run-key entry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run – value “xbxaux”).
    c. Remove the persistence DLL (C:\ProgramData\svsvc.dll).
    d. Clear WMI event subscription __EventFilter named “EvtFlt    eb4”.
  4. Update & scan with fully-patched AV/EDR ( signatures >= 1.395.621.0 detect as Ransom:Win32/Ebaka.A).
  5. ONLY THEN reconnect to network to download OS patches & change all local/domain passwords.

3. File Decryption & Recovery

  • Decryption feasibility at present: NOT possible offline – ebaka uses Curve25519 + ChaCha20-Poly1305; each victim gets a unique keypair.
  • No flaw (iv reuse, s-box leakage, weak PRNG) has been found by researchers.
  • No free decryptor exists as of 2024-04-12.
  • Recovery paths:
    – Restore from offline/uninfected backups (check .ebaka extension is absent).
    – Windows VSS / shadow copies are usually deleted (vssadmin delete shadows /all) but NOT always – try shadowcopy-viewer or vssadmin list shadows BEFORE cleanup.
    – Volume-repair tools (PhotoRec, R-Photo) can carve non-encrypted copies if disk area was not overwritten.
    – File-rollback features in OneDrive, DropBox, Code42, Veeam, Druva, etc.
    – Paying the ransom (≈ 0.15 BTC) does work according to multiple incident-response firms, but:
    • no guarantee,
    • rewards criminal activity,
    • may violate OFAC sanctions if attacker wallets are flagged.

4. Other Critical Information

  • Unique characteristics:
    – Uses “bring-your-own-chacha” – statically links the encryption routine, unusual for small ransomware families, indicating a higher-skilled developer.
    – Drops a secondary “wiper” module (ebk_wipe.exe) that overwrites free clusters with random bytes – executed IF the victim waits > 96 h, lowering recovery odds.
    – Contains a hard-coded killswitch domain (ebkprslvr.onion) – unreachable unless Tor is present; does NOT stop encryption but may change ransom note wording.
  • Broader impact / notable effects:
    – MSP breakouts in East-Asia (Feb–Mar 2024) caused > 520 downstream customers to lose file-servers in a single weekend.
    – Healthcare clinics in the U.S. Midwest reported permanent loss of radiological images (DICOM) where only partial off-site backups existed – HIPAA breach notifications filed.
    – Because binary contains embedded check for Russian & Ukrainian keyboard layouts, some analysts link ebaka to a Russian-speaking RaaS group renting ScreenConnect access, but no definitive attribution yet.

Stay vigilant, patch early, and keep immutable backups – remediation will remain difficult until either law enforcement seizes the backend keys or researchers uncover a cryptographic flaw.