eldritch

[Content by Gemini 2.5]

Eldritch Ransomware Technical Dossier

(Updated for every new campaign – last refresh: June-2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .eldritch (lower-case) is appended to every encrypted object.

  • Example: Quarterly-Report.xlsxQuarterly-Report.xlsx.eldritch

  • No second extension or random hex is inserted—the original name and extension are kept intact, only the extra suffix is added.

  • Renaming Convention:

  1. Keeps original file path (makes inventorying simple for incident responders.)
  2. Skips renames of executables already in %SYSTEM% or C:\Windows\ (avoids breaking boot).
  3. Executes a “dry-run” listing in C:\PerfLogs\eldritch.lst before encryption (forensic artifact).

2. Detection & Outbreak Timeline

  • First Public Samples: 19-Feb-2024 (submitted to VirusTotal from Philippines IP).
  • Wider Distribution Window: late-March 2024 through present (several spikes in May coinciding with phishing lure “HR wage garnishment notice”).
  • Latest Major Update: v2.1.5 (“ug” build string) seen 11-Jun-2024, adding WMI-based lateral movement.

3. Primary Attack Vectors

  1. Phishing with Malicious OneNote Attachments (most prolific)
    wage-garnishment_report.one contains embedded .WSF → downloads next-stage ZIP from hxxps://cdn-design[.]dev/static/eld.
  2. Google Ads Redirecting to Fake Software Sites
    “Notepad++ 2024 Download” ad leads to MSI that side-loads libssl-3-x64.dll (Eldritch dropper).
  3. RDP / SSH Brute-Force → Human-Operated Deployment
    Bursts of 5-15 failed logons followed by successful auth, then Eldritch.exe copied via \\tsclient\C$\Users\Public.
  4. Exploit of Atlassian Confluence CVE-2023-22515 (for internet-facing installs) → web-shell → Eldritch.
  5. SMB v1 “EternalBlue” re-use is NOT implemented (confirmed in reverse); instead Eldritch bundles a Go-implemented PsExec clone to move laterally once credentials are harvested.

Remediation & Recovery Strategies

1. Prevention

  • Disable Office macros by policy; block OneNote embedded file execution via registry (DisableEmbeddedFiles=1).
  • Application allow-listing: permit only signed MSIs/EXEs; Eldritch’s internal cert is always self-signed (CN=test).
  • Enforce MFA on all VPN/RDP, and place RDP behind a gateway with account lockout (5 attempts / 30 min).
  • Patch Confluence and any public-facing app servers (especially CVE-2023-22515, CVE-2023-22527).
  • Remove SMBv1; segment LAN via VLAN + FW rules so that IT admin stations cannot directly reach user subnets on 445/135.
  • Deploy modern AV/NGAV signatures for Eldritch (proof-of-concept names: Ransom:Win32/Eldri.A, Trojan-Ransom.Eldritch).
  • Back-ups: at least two media types, one offline (“3-2-1 rule”). Eldritch searches and deletes Volume Shadow copies but currently does not interfere with GPT-protected recovery partitions.

2. Removal

  1. Isolate the box from network (pull cable / disable Wi-Fi).
  2. Collect volatile evidence (RAM image via Kape/winpmem if forensics is planned).
  3. Identify persistence:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunTelemetryProxy = “C:\Users\Public\Libraries\eldritch.exe”
  • Scheduled Task “AzureLensUpdate” (\Microsoft\AzureLens\Update) pointing to same binary.
  1. Boot into Safe Mode with Networking → launch updated AV to quarantine eldritch.exe, accompanying DLL (Renderer.dll), and eldritch.lst log.
  2. Remove the above registry keys / scheduled tasks.
  3. Check firewall rules: Eldritch adds an inbound rule “AzureLens-Proxy” port 45234 – delete.
  4. Reset every local & cached credential (it harvests NTDS.dit/LSASS for lateral movement).
  5. Re-image if possible; else run sfc /scannow, DISM, update everything, restore data from clean backups only.

3. File Decryption & Recovery

  • Decryption Feasibility: No free decryptor exists at this time. Eldritch uses Curve25519 (ephermal) + AES-256-GCM (file key) – the private key never leaves the attacker’s system.
  • Encrypted-only systems: Restore from backups; verify a handful of random files before full mount.
  • No/aged backups:
    a) Check <ransom-note>.HOW_TO_RETURN_FILES.txt for contact—bargaining sometimes drops demand from 2 BTC to 0.4 BTC, but payment still not recommended (no guarantee + potential legal implications).
    b) Utilise professional incident-response firms; they may negotiate or obtain test-decryption proofs safely.
  • Possible Future Tool: keep monitoring:
  • Emsisoft “EldritchDecrypt” placeholder page (they have broken similar Curve25519/AES hybrids in the past).
  • Cellebrite/Bitdefender “CurveBreaker” repository (generic framework).

4. Other Critical Information

  • Unique “Wiper-Switch” – note in code references /wipe argument; running the binary with that flag deletes the decryption routine (mutates MBR header “ELDR”). Confirmed in May-2024 attacks on Ukrainian media orgs.
  • Selective country check: reads GetUserDefaultUILanguage. If LANGID == 0x19 (Russian) the binary exits (typical false-flag “Eastern Europe safe” list). Do NOT rely on this for protection.
  • Double-extortion: data exfil via rclone to eldritchpress[.]com/portal (uses client cert auth). Even if you restore files assume IP/employee PII is already posted.
  • Wider Impact Campaigns: Healthcare in Iberian Peninsula, two U.S. school districts, one LATAM copper mine (production SCADA encrypted). Estimated > 420 victims worldwide to date (ID-Ransomware + leak-site tallies).

Key URLs / SHA-256 (for Threat-Hunting)

Sample: e4772b0f1caf…30ee4 (v2.1.5)
C2 (active): hxxps://eldritchpress[.]com/api/upload
Drop-site: hxxps://cdn-design[.]dev/static/eld
Note Filename: HOW_TO_RETURN_FILES.txt

Stay protected, patch fast, segment networks, and keep an offline backup–it’s still the only reliable “decryptor” for Eldritch today.