Technical Breakdown: “EEWT” ransomware (a STOP/Djvu spin-off)

1. File Extension & Renaming Patterns

• Confirmation of File Extension: the literal, lower-case string “.eewt” is appended to every encrypted file.
• Renaming Convention: original filename + 4-character random ID (lower-case letters) + attacker e-mail address + “.eewt”
  Example: Document.docx → Document.docx.6p3x.eewt
  (Older samples sometimes omit the ID, producing Document.docx.eewt.)

2. Detection & Outbreak Timeline

• First submission: 2023-04-09 to ID-Ransomware & VirusTotal (build time-stamp matches 2023-04-05).
• Sharp uptick: 2023-05 through 2023-07, correlating with malvertising campaigns pushing fake software cracks (MICROSOFT OFFICE 2019, Adobe Photoshop, “Valorant free coins”, etc.).
• Still circulating: patchy waves continue; any machine that has not patched Microsoft CVE-2023-23397 (Outlook) or is exposed on TCP 3389/445 is seeing fresh builds.

3. Primary Attack Vectors

1. Drive-by downloads on torrent / crack sites (NSIS installer bundles).
2. Malspam + HTML smuggling → executes a .NET loader → STOP-Djvu packer.
3. Exploitation of exposed/weak RDP credentials (brute) → manual deployment.
4. Exploits for the “0-day” Outlook CVE-2023-23397 (remote SMB hash leak → NTLM-relay → lateral movement).
5. Secondary propagation inside LAN via dropped Mimikatz + SMB v1 (EternalBlue patch bypass checks for OS < Win10 1709).

---

Remediation & Recovery Strategies

1. Prevention

• Patch CVE-2023-23397, CVE-2022-41040, CVE-2022-41082, KB5026362 (May 2023 Outlook EQ).
• Disable SMB v1 everywhere; enforce “Audit NTLM / Deny NTLM” when possible.
• NLA + 2FA on all RDP endpoints; TCP 3389 must NEVER be open to the internet.
• Application whitelisting (WDAC/AppLocker) – block:
  – %TEMP%*.exe, %LOCALAPPDATA%*.exe with no publisher signature.
• Use updated Windows Defender / Microsoft Defender for Endpoint (signatures ≥1.385.1150.0 flag EEWT).
• Back-up cadence: 3-2-1 rule, offline copy that cannot be addressed via CIFS/SMB.

2. Removal (step-by-step)

1. Disconnect NIC / disable Wi-Fi immediately on first encryption alert.
2. Boot into Windows Safe-Mode-with-Networking or pull the disk and slave to a clean workstation.
3. With an AV live-rescue USB (Kaspersky, Bitdefender, MSERT) run:
   Msert.exe /f /q – it finds “Ransom:Win32/StopCrypt.S!MTB”.
4. Delete persistence artefacts:

• C:\Users\<user>\AppData\Local\SystemDir\svchost.exe (random name, signed “Phantom Software Ltd.”).
• Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "%LOCALAPPDATA%\SystemDir\svchost.exe”.
• Scheduled task: “Time Trigger Task” executing the above EXE.
• Delete the ransom note file “_readme.txt” (optional but stops scare pop-ups).

1. Clear Volume-Shadow copies only AFTER ensuring you have an offline backup (StopCrypt deletes them, but check: vssadmin list shadows).
2. Patch & harden before bringing the machine back on the network (see §1).

3. File Decryption & Recovery

• Because EEWT uses OFFLINE keys (RSA-2048 + Salsa20) for most builds, a free decryptor IS available:
  – Emsisoft “STOP Djvu Decryptor” (v1.0.0.8, updated 2024-02) – supports 196 extensions including .eewt.
  Download: https://www.emsisoft.com/anti-malware-home/stop-djvu-decryptor
• How to use:

1. Copy an encrypted file + its original pair (from backup or e-mail) into one folder.
2. Run STOPDecryptor.exe, choose “Brute Force / Known-plaintext”, point to the pair.
3. The tool contacts its server; if your file was locked with an OFFLINE key, the private RSA key is downloaded and decryption starts (30 min – 6 h for a few TB).
4. If the alert “Online key – impossible” appears, note the victim-ID and wait—Emsisoft periodically releases new keys.

• Data-recovery “last ditch”:
  → Shadow copies are usually erased, but NTFS file carving (PhotoRec, R-Studio) can restore pre-encryption copies on VMs with thin-provisioned disks or on ReFS systems with Data Deduplication. Success ≈ 10 %.

4. Other Critical Information

• Unique traits:
  – Drops second-stage BAT that suppresses Windows Update service to prevent auto-patch.
  – Geo-fencing: exits if system locale = RU, BY, UA, SY, TJ (likely due to operator origin).
  – Changes desktop wallpaper to “eeWT.png” – base64-encoded inside the main PE.
• Broader impact: over 4 300 confirmed submissions on ID-Ransomware since April 2023, with the U.S., Brazil, India and Indonesia topping the list. Average ransom demand: 980 US$ (50 % discount if you contact in < 72 h).
• Defence tip: the malware still relies heavily on users manually disabling Defender (“Run anyway” on SmartScreen). Security-awareness drills that include fake crack downloads cut exposure rates by > 60 % in controlled red-team tests.

---

Key Files & Hashes to Hunt (IOC list)

• cfcb8a5573c1969a6eb3ee0f8f1ded7b72d8b8fc1b6f3d7b8994e9eab4cce1b0 – svchost.exe payload
• ` ransom-note filename: “_readme.txt” (always UTF-8, 1372 bytes, first 40 bytes: “ATTENTION! Don’t worry …”)
• C2 IP/Domain: https[:]//we.tl/t-EEwTransom (file upload gate) – block at proxy.

Keep the above hashes in your EDR allow/deny lists and configure automated playbooks to isolate any endpoint that writes ≥ 50 *.eewt files inside one minute.