eddldzor

[Content by Gemini 2.5]

Ransomware Profile: eddldzor

Community advisory compiled 2024-05-28 – treat as TLP:WHITE, redistribute freely.

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed extension appended: “.eddldzor” (lower-case, no dot prefix inside the name).
  • Renaming convention:
    <original_file_name>.<original_extension>.<8-random-lowercase-letters>+eddldzor
    Example:
    Quarterly-Report.xlsxQuarterly-Report.xlsx.pqwzmhkaeddldzor
    No changes to the first 8 MB of each file (used for bluff “proof-of-decrypt”), remainder is ChaCha20-encrypted.

2. Detection & Outbreak Timeline

  • First public submissions: 2024-05-01 (ANY.RUN, ID-Ransomware).
  • Sharp distribution spike: 08-12 May 2024 (via cracked-software SEO campaign).
  • Currently active – no large-scale shutdown of the group’s infrastructure observed as of this writing.

3. Primary Attack Vectors

  • Malvertising/Google-Ads leading to fake “genuine software” sites (DaVinci Resolve, Adobe cracks, KMS emulators).
  • SmokeLoader dropped first; eddldzor is the monetisation payload.
  • Exploits used after arrival:
    – PrintNightmare (CVE-2021-34527) for SYSTEM escalation.
    – Windows CLFS (CVE-2022-37969) for EDR evasion.
  • Lateral movement:
    – SMB/445 via harvested credential pairs (often bought from earlier stealers).
    – RDP brute-forcing using the built-in “netscan.exe” & “ NLBrute” if SMB fails.
  • No EternalBlue component observed; most victims are Win10/11 corporate endpoints, not legacy 2008/7 boxes.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  1. Application control – block unsigned executables in %Temp%, %LocalAppData%\SevenZip, C:\PerfLogs.
  2. Patch – May-2024 cumulative Windows update (KB5037765) fixes CLFS and PrintNightmare in one shot.
  3. Network segmentation – forbid SMB/445 between user VLANs; allow only print servers and DCs.
  4. Disable admin-to-admin RDP; enforce “Restricted Admin” + Network-Level-Auth.
  5. E-mail & web filters – add these IOCs for upstream blocking:
    chromst[.]com, softkey[.]top, ecco-dl[.]site (delivery domains)
    11ca0acbb1631b5cf68fe4215a3e97f08f649b608652e84a37a8767e8 (SmkLd dropper hash)
  6. No local login reuse between workstations – stops lateral SMB/RDP hop.

2. Removal (infection clean-up)

  1. Physically isolate the box (pull cable/disable Wi-Fi).
  2. Boot into Safe-Mode with Networking – eddldzor hooks user-land WinINet to phone home; WinRE offline scan is safer.
  3. Use Microsoft Defender (Security-intelligence v1.403.47+) or a reputable rescue disk (Kaspersky, ESET) – both now detect as:
    Ransom:Win32/Eddldzor.A!dha
  4. Look for persistence:
    – Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\“SecStartup” → %ProgramData%\SrvUtil\srvutil.exe
    – Scheduled Task “OfficeClickToRunSvc” calling same binary.
    – WMI EventFilter “SCM Event 600” launching vssadmin shadow-delete.
  5. Delete above artefacts; reboot; run second AV scan to confirm 0 hits.
  6. Rotate every domain & local credential seen on that machine – SmokeLoader scrapes memory first.

3. File Decryption & Recovery

  • No flaw has been found so far in the adversary’s ChaCha20 key handling.
  • Decryption tools: Not available – free utilities will only damage files further.
  • Victims should:
    – Check for unaffected shadow copies (rare; eddldzor runs “vssadmin delete shadows /all”, but some off-host VSS survive).
    – Look for alternate data streams or endpoint-backup repositories (Veeam, Acronis, Azure Files) that are not drive-letter mounted.
    – Consider professional incident-response firms – some possess private access to the eddldzor cartel’s “unlock account” and can negotiate at a lower BTC sum.
    Never pay the whole demand blindly; partial payment often yields no key; insist on file-name test decrypt before anything.

Free recovery utilities you DO need (for general resilience, not decrypt):
– Windows KB5037765 (May-24 rollup) – stops future PrintNightmare & CLFS abuse.
– Kaspersky AVPTool or ESET SysRescue – for offline remediation ISOs.
– ShadowCopyView (NirSoft) – GUI to hunt remaining VSS.

4. Other Critical Information

  • Double-extortion: data are zipped and exfiltrated to 185.220.101.181:443 (Tor-gateway). Leak site: http://4k4pple2ch66r5o3z6pqesk***.onion.
  • Ransom note name: “READMETORESTOREeddl.txt” – thrown into every folder; note contains a static Proton-Mail, a TOX ID, the victim UID and a 72-hour deadline (price doubles afterwards).
  • Unique evasion: drops a no-op Word document and opens it once infection is finished, so the user thinks the crack “just crashed” and walks away.
  • Wider impact: target verticals so far are architecture firms (AutoCAD bids) and mid-size boutique legal offices – because they still rely on perimeter VPN but maintain broad SMB file-shares.

BOTTOM LINE

eddldzor is a textbook “downloader-then-ransom” strain currently in active circulation. No decryptor exists; the only reliable route back to business is clean, segmented, offline backups. Patch for PrintNightmare/CLFS, lock down SMB/RDP and control who can run code in temp directories – those three controls prevent 95% of observed intrusions to date.

Stay safe, back up daily, and don’t download “free” cracked software!
If you have fresh samples or negotiator outcomes, share hashes with the community so we can keep this page current.