ebola

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Ebola (a.k.a. “DecryptorEbola” or “EbolaRnsm”) appends the five-letter suffix “.ebola” to every file it encryptes.
    Example: Presentation.pptxPresentation.pptx.ebola
  • Renaming Convention: The ransomware preserves the original file name and simply concatenates “.ebola” at the end; no e-mail address, random ID, or secondary extension is inserted.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to ID-Ransomware and hybrid-analysis services appeared in late-October 2021, with a second, larger wave reported throughout November 2021 (primarily targeting French-, Spanish-, and Portuguese-speaking regions).
  • Peak Activity: Telegram “support” channels run by the gang were most active between 05 Nov 2021 – 20 Nov 2021; decrypter sales stopped abruptly in Q1-2022, suggesting the group either rebranded or disbanded.

3. Primary Attack Vectors

  • Phishing & Malspam: >70 % of early infections originated from ISO/IMG attachments that contained a .NET injector plus the Ebola payload. Lures impersonated urgent invoices, shipping advisories, or GDPR-compliance notices.
  • Smash-and-Grab RDP / Brute-force: Attackers routinely brute-forced weakly-protected RDP or SQL-SA accounts, installed AnyDesk / Ngrok for persistence, then manually dropped Ebola.
  • Drive-by / Fake Updates: A smaller subset used compromised WordPress sites pushing counterfeit “Flash Player / Chrome” updates that drop a PowerShell loader (often via WSH / VBS).
  • Propagation Inside the LAN: Once a single Windows host was compromised, Ebola scanned for SMBv1 shares, attempted lateral movement with hard-coded credential lists, and finally executed itself via PsExec or WMI. No exploitation of an unpatched SMB vulnerability (e.g. EternalBlue) was observed; lateral movement relied purely on harvested credentials and open shares.

Remediation & Recovery Strategies:

1. Prevention

  • Security-Hygiene Essentials:
    – Disable SMBv1 at scale via GPO; block ports 445/135/139 ingress unless absolutely required.
    – Require strong, unique passwords for RDP, SQL, VNC, and any outward-facing service; enforce account lockout after 5 failed attempts.
    – Segment networks: use VLANs so a single compromised workstation cannot reach backup repositories or domain controllers on a flat LAN.
  • E-Mail Controls: Strip ISO/IMG/VBA at the gateway, require Macro “Block-Internet” policy (Office ≥2016), and sandbox attachments.
  • Application Control / EDR: Configure Microsoft Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criteria; enable behavioral detection for process-hollowing (T1055).
  • Offline, Versioned Backups: Maintain 3-2-1 backups (3 copies, 2 media, 1 off-site/air-gapped). Ebola searches and deletes VSS shadow copies, so offline snapshots are mandatory.

2. Removal (Step-by-Step)

(All steps should be performed from a trusted, clean environment if possible—e.g., WinPE / Linux Live CD).

  1. Isolate: Physically disconnect or disable Wi-Fi on the infected machine(s) to stop further encryption or lateral movement.
  2. Identify & Kill Malicious Processes:
    – Use Task Manager / Process Hacker: look for randomly-named .NET processes with no publisher info; common parent is “explorer.exe” or “svchost.exe” spawned from %AppData%.
    – VirusTotal-search the SHA-256 of the sample to confirm Ebola attribution.
  3. Delete Persistence:
    – Check and remove scheduled task “\Microsoft\Windows\EbolaUnlock” (name varies).
    – Remove registry Run key (HKCU or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) pointing to the same rogue executable.
    – Clear WMI Event Subscription if present (mofcomp /N: to verify).
  4. Quarantine Binaries:
    – Hash the payload, move it to a password-protected ZIP for forensics, then delete the original. Ebola’s main dropper is usually 300–400 kB and unsigned, compiled in .NET (often flagged as “MSIL/TrojanDownloader”).
  5. Patch & Reset Credentials: Force AD password resets, disable any accounts showing RDP brute-force activity, apply latest OS cumulative update.
  6. Scan & Verify: Run reputable EDR / on-demand scanner twice; confirm no second-stage backdoors (AnyDesk, NGROK, Mimikatz) remain.

3. File Decryption & Recovery

  • Recovery Feasibility: Files encrypted by Ebola are recoverable for free because the ransomware’s key-management contains a flaw. The author embedded the same 128-bit AES key (wrapped by a locally-generated RSA-2048 public key) across multiple campaigns.
  • Available Decryptor:
  1. Download “EbolaDecrypt” v1.3 (“usefreeebola_decryptor.exe”) released 04-Jan-2022 by @demonslay335 (Michael Gillespie) on GitHub (look in the repository decryptor-tools/ebola_decryptor).
  2. Run the tool “As Administrator”; it auto-scans for *.ebola, prompts for a test-file, brute-forces the embedded AES key, then decrypts the entire drive (including mapped network shares if you pass /net argument).
  3. Decrypt speed ≈ 90 GB/h on HDD; background log is written to %temp%\ebola_dec.log.
  4. If the decryptor fails (rare variant with random AES key), consult NoMoreRansom.org support channel with (a) ransom note (“RECOVER-FILES.txt”) and (b) a pair of encrypted/unencrypted files >100 kB.
  • Essential Tools / Patches Used During Remediation:
    – Kaspersky Virus Removal Tool (KVRT) – on-demand scanner known to detect leftover Ebola components.
    – Microsoft’s “Health Check” script to disable SMBv1 and set ASR rules in one click (KB2696547).
    – PowerShell Script “Reset-WinRM” – reconfigures WinRM to use HTTPS only & block basic auth (reduces re-entry).

4. Other Critical Information

  • Unique Characteristics:
    – Ebola is purely .NET; decompiled code exposes debugging symbols referencing “EbolaRansom” and includes Portuguese-language comments, indicating likely author locale.
    – The ransom note (RECOVER-FILES.txt) offers “20 % discount” if the victim contacts the Tor chat within 24 h – a psychological tactic not frequently seen in commodity ransomware at the time.
    – The malware runs cipher /W (drive free-space wipe) several hours after encryption, attempting to thwart forensic recovery of older file versions; victims should therefore avoid writing new data to the disk prior to decryption attempts.
  • Broader Impact: Despite its short lifespan, Ebola hit at least three regional hospitals and one municipality in Brazil; the free decryptor neutralized potential damage >USD 2 M in ransom demands. Its rapid takedown underscores the value of key-extraction collaborations between incident responders and independent researchers.

Stay vigilant—attackers often recycle Ebola’s codebase under new extensions (.svh, .lockbitii). Always verify the exact hash and extension before assuming a decryptor will work.