ecc

[Content by Gemini 2.5]

Ransomware Resource Sheet – “ECC” (*.ecc variant)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension added: .ecc
  • Typical renaming convention:
    original_name.ext → original_name.ext.ecc
    (The original file name is kept, the original extension is preserved, and .ecc is simply appended—no e-mail address, random ID, or campaign tag is inserted.)

2. Detection & Outbreak Timeline

  • First public sightings: 17 Nov 2015 (Trend Micro “TROJ_CRYPAURA.A”, CTB-Locker spin-off)
  • Peak activity window: Nov 2015 – May 2016; dormant campaigns resurface periodically until late 2017
  • Current status: Largely inactive in the wild but still observed as an “opportunistic” payload in exploit-kit chains (RIG, Magnitude) and cracked-software bundles.

3. Primary Attack Vectors

  1. Spam / phishing – the dominant entry vector
    – ZIP with malicious JS downloader inside; macro-laden Word pretending to be invoice/parcel-tracking

  2. Drive-by exploit kits
    – RIG, Nuclear, Sundown dropping Crypshell → ECC payload
    – Exploits: Flash (CVE-2015-5119), IE (CVE-2015-2419), Silverlight (CVE-2016-0034)

  3. Insecure RDP
    – Brute-forced RDP credentials → manual execution of setup.exe/ecc.exe

  4. Bundled “cracked” software
    – Fake KMS activators, key-gens & gaming hacks hosting the loader

Remediation & Recovery Strategies

1. Prevention

  • Patch OS & 3rd-party software promptly (especially Flash, Silverlight, IE).
  • Disable Office macros enterprise-wide; block executable content from e-mail at the gateway.
  • Enforce unique, complex RDP passwords and use 2FA or VPN tunnel; disable RDP on the perimeter where not required.
  • Apply controlled-folder-access (Windows Defender / AppLocker) to block unsigned binaries from writing to user profile paths.
  • Maintain at least one offline (air-gapped) backup cycle and backup software that does not assign a drive letter to repository shares.

2. Removal (step-by-step)

  1. Isolate the machine (unplug network/Wi-Fi).
  2. Boot into Safe Mode with Networking or use a bootable AV rescue disk.
  3. Update signatures and scan with a reputable engine; detected names to look for:
  • Ransom:Win32/Tescrypt.E (MS)
  • Ransom_CTBL.D, TROJ_CRYPAURA.* (Trend)
  • Trojan-Ransom.Win32.Scatter.ecc (Kaspersky)
  1. Delete every instance of ecc.exe, ecc_server.exe, random-named *.exe in %TEMP%, plus the persistence Run-key value.
    Key locations:
  • %AppData%\Roaming\ecc\ecc.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run → “ecc”
  1. Clean all scheduled tasks (e.g., “ecc2task”, “SystemRecoveryCheck”).
  2. Reboot normally; confirm no new files are re-encrypted before restoring data.

3. File Decryption & Recovery

  • Free decryptor exists.
    – Kaspersky’s “RakhniDecryptor” (v1.21.28.1+, updated 06-2016) supports the ECC/CTB-Locker/Aura master key that was leaked in 2016.
    – Procedure:
    a) Copy an encrypted file + its original (from backup or e-mail attachment) to a USB stick → called the “pair of files”.
    b) Launch RakhniDecryptor → point to the encrypted file → “Start scan” → tool calculates key → decryptable files are processed in place.
  • If no original copy exists, the tool can still brute-force the short 1024-bit ECC session key, but success ≈60%.
  • Shadow-Volume copies are normally deleted (vssadmin delete shadows /all is run); file-recovery from VSS unlikely.
  • Paying the ransom (historically 0.2 BTC) provides a working key in most cases, but is strongly discouraged (no guarantee, funds criminal actors).

4. Other Critical Information

  • Encryption specifics: Uses Curve SECT283R1 (Elliptic Curve) to wrap per-file AES-256 keys; appends 96-byte footer with key blob → reason for the “ECC” moniker.
  • Network awareness: If Run with /network flag it attempts to enumerate and encrypt mapped shares, but does not include a worm/spreader module—no lateral SMB exploit such as EternalBlue.
  • Defensive telemetry: Leaves help_decrypt_ecc.txt (later renamed DecryptAllFiles_*.txt) in every folder; no desktop wallpaper change, but does modify the HOSTS file to block security sites.
  • Notable targets: Mid-2016 campaigns heavily focused on US & Western-European municipalities and charities that had permissive e-mail gateways—caused intermittent city-hall shutdowns but never reached headline-scale damage like SamSam or Ryuk.
  • Coverage assurance: Any antivirus that ships the “Tescrypt/CTB-Locker” family signatures will catch ECC variants—update and verify detections before bringing machines out of quarantine.

Bottom line: remove infection with standard AV, restore from offline backup, take advantage of the publicly available decryptor, and harden the environment to prevent re-deployment of this legacy—but still dangerous—ransomware family.