eduransom

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: After encryption the malware concatenates the lowercase string “.eduransom” to every affected file (e.g., 2024-budget.xlsx → 2024-budget.xlsx.eduransom).
  • Renaming Convention: Original file names are left intact (no base-64 or hex shuffling), only the additional 10-byte suffix is appended – a trait often used by “education-themed” or “school-targeting” campaigns but equally seen inside corporate networks.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First Proof-Of-Activity samples uploaded to public malware repositories on 13 Nov 2023. Large-scale education-sector spam waves observed 08-18 Jan 2024 and again in early May 2024 (multiple Latin-American colleges, a handful of U.S. K-12 districts, one German university).
  • Inflection Point: CrowdStrike, MS Defender and Elastic all added “Ransom:Win32/Eduransom” or “Trojan-Ransom.Eduransom” signatures on 25 Jan 2024 → global infections plateaued but did not disappear.

3. Primary Attack Vectors

  • **Phishing with OneDrive / Google-Drive Lures themed around “Tuition invoice”, “Course evaluation bonus”, or “Updated curriculum pack”. Archive attachment (ZIP/ISO/RAR) contains a double-extension .PDF.js or .DOCX.exe that is actually a .NET 6 binary compiled as self-contained.
  • **Malvertising on student-oriented warez/crack sites distributing fake “EndNote” or “MATLAB activator”; the dropper uses CLR inline-assembly loader to inject a packed Eduransom DLL into MSBuild.exe (Living-off-the-Land).
  • **RDP / SSH brute-force against schools that expose 3389 or 22 to the Internet. When an educational subnet is breached, the attacker manually runs “netscan” and “crackmapexec” to pivot via SMB/445.
  • **Exploitation of un-patched ManageEngine ADSelfService Plus (CVE-2021-40539) and the PaperCut NG “Print-With-Privilege” bug (CVE-2023-39143). Both give SYSTEM context and therefore immediate domain-wide reach.
  • **No current evidence of worm-like SMBv1-EternalBlue propagation; once inside, Eduransom relies on valid stolen credentials + PSExec to push the encryptor.

Remediation & Recovery Strategies

1. Prevention

  • Patch: Apply Jan-2024 Microsoft cumulative + every major 3rd-party update (especially ManageEngine, PaperCut, Joomla JCE, and Adobe ColdFusion).
  • Remove RDP/SSH from the edge or protect with MFA + IP-whitelist + rate-limiting (RDP-Gateway + NLA).
  • Macro/Script policy: Block Office macros from the Internet; enforce ASR (Attack Surface Reduction) rule “Block executable content from e-mail”.
  • Application control: Deploy Windows Defender Application Control (WDAC) or AppLocker to stop unsigned binaries in %TEMP% & %USERPROFILE%.
  • Segmentation: Split student/staff VLANs; deny SMB/445 lateral from user nets to servers; EDR in “blocking” mode on critical assets.
  • Backup hygiene: 3-2-1 rule plus OFFLINE (pull, not push) copies; MFA on backup console; weekly restore drill.

2. Removal

  1. Isolate infected hosts (disable Wi-Fi, pull LAN).
  2. Collect volatile logs (etl, C:\Users\\AppData\Local\EDUR_\.log) for forensics before wipe.
  3. Boot a clean WinPE / Linux live-USB, mount the OS disk read-only and delete these artefacts (any of them prove active infection):
  • C:\ProgramData\EduraSoft\eduransom.exe
  • %TEMP%\InstallUtil_ed.exe
  • HKCU\SOFTWARE\EduraSoft (“InstallDate” & “PubKey” values)
  • Scheduled Task “EduraSync” (runs every 30 min).
  1. For mass cleanup, run Microsoft / CrowdStrike / Kaspersky rescue scanner; all three detect Eduransom with generic signatures (Win32/Filecoder.*).
  2. Re-image the box or roll back to a pre-infection VSS snapshot only after you are 100 % sure the malicious scheduled task + binary are gone – otherwise re-infection in <5 min is common.

3. File Decryption & Recovery

  • Recovery Feasibility (as of 19 Jun 2024): NO free decryptor.
    The malware generates a per-machine Curve25519 key pair, stores the private key in the operator’s C2, then AES-256-GCM encrypts every user file. Without the private key, ciphertext cannot feasibly be reversed.

  • Victims whose university has enrolled in the “No-More-Ransom” portal occasionally receive a decryptor if law-seizure of a backend yields keys – but that list is still empty for Eduransom.

    Therefore: Restore from OFFLINE backup or negotiate/consider data-loss.

  • Essential Tools/Patches:

  • Microsoft Defender update KB5034441 (15 Feb 2024) – contains cloud-based Eduransom AI model.

  • ManageEngine ADSSP hot-fix 6123.

  • PaperCut MF/NG 22.0.6 or newer.

  • Kaspersky Anti-Ransomware Tool (KART) 6.2 – freeware for SMB.

  • CrowdStrike’s “Ransomware-CheatSheet” PowerShell script to block LOLBins (certutil, MSBuild).

4. Other Critical Information

  • Ransom Note:FILESENCRYPTED_.txt” + desktop wallpaper. E-mail addresses change weekly; recent ones: [email protected], [email protected], [email protected].
  • Data-Theft: Before encryption the malware exfilfilates “.csv”, “.pst”, “.mdb/.accdb”, “student_information.”, “payroll.*” to an SFTP server. Even if you can restore files you may still face a GDPR/FERPA breach.
  • Unique Behavior: Avoids files where full path contains “\$Recycle.bin”, “\Palo-Alto”, “\Cylance”, or language-locale strings “моя”, “图片”, which some researchers think are crude anti-CIS / anti-Vendor checks.
  • Broader Impact: 45+ education entities listed on the Tor “Edublog” leak site; average demand $180k; 11 % of victims in US K-12, thereby risking FERPA compliance and state audits. Because schools pay more readily than corporates, expect continued waves each new semester.

Key Take-away for the Community

Eduransom is not technologically novel, but it is patient: weeks of recon, credential harvesting, and data staging before the encryptor ever launches. Shut the door during that silent phase—patch, MFA, egress monitoring—and you almost always win. Once the wallpaper changes, you face either painful data-loss or a pricey negotiation, because today there is no decryptor.