email-*@*id-*.*

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: email-*@*id-*.*
    (wild-cards are literal – every encrypted file receives its own unique address, e.g. [email protected], [email protected])
  • Renaming Convention:
  • Original name + original extension are kept.
  • The string  email-<attacker-e-mail>@<host>.id-<8-hex-chars>  is appended directly to the file name (no dot before the extension).
  • Folders and mapped network shares are processed recursively; every encrypted document therefore advertises the same criminal e-mail address.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First public submissions appeared 28-May-2020; infection waves peaked June-July 2020 and again March-April 2021.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-force / credential-stuffing (TCP/3389 exposed to Internet, weak passwords, previous breach dumps).
  2. Pirated software (“crack” installers for Adobe, Office, games) bundled with malware dropper.
  3. Phishing attachments (ISO, .ace, .img) containing self-extracting archive that launches smartssh.exe (main payload).
  4. No known exploit-kit or SMB/EternalBlue component – human-assisted intrusion followed by manual deployment is typical.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Block RDP at perimeter; if business-critical, require VPN + MFA, set “Network Level Authentication”, account lock-out after 3 failed logins.
  • Remove local-Administrator rights from daily-use accounts; disable RDP for Domain Admin.
  • Patch OS/apps monthly; inventory “cracked” software and remove it (attackers frequently back-door the same cracks).
  • E-mail: filter ISO/IMG attachments; use Windows ASR rules to block executable content from e-mail.
  • Back-up 3-2-1 model (3 copies, 2 media, 1 off-line/off-site); store credentials in hardware token or separate AD forest.
  • White-list PowerShell and PsExec execution via AppLocker / WDAC (ransomware abuses powershell.exe to delete shadow copies).

2. Removal

  • Infection Cleanup:
  1. Physically disconnect the host from network; isolate VLAN if present.
  2. Collect triage: C:\Users\<u>\AppData\Roaming\smartssh.exe, readme.txt ransom note, scheduled task \\Microsoft\\Windows\\SmartSshUpdater.
  3. Boot into Safe Mode + Networking; run reputable AV/EDR scan (definitions “Ransom:Win32/Phobos” or “Ransom.Win32.EmailID”).
  4. Delete malicious PE, persistence tasks, and accompanying *.bat files that clear event logs.
  5. Patch local accounts, force password reset, and verify no rogue user profiles were created.
  6. Update AV signatures and run full scan on any restore candidates before returning them to production.

3. File Decryption & Recovery

  • Recovery Feasibility: At the time of writing there is NO free decryptor for the email-*@*id-*.* variant of Phobos. It uses AES-256 in CBC mode with a unique key for each victim; the private RSA-1024 key resides only on the attackers’ server.
  • Available Tools:
  • Upload a pair of identical plain/encrypted files to Emsisoft and Kaspersky check-pages for future free decrypter notification.
  • ShadowExplorer or vssadmin list shadows – occasionally kills the service too late; try but do not rely.
  • File-recovery carving utilities (PhotoRec, R-Studio) can grab non-encrypted copies only if disk space has not been trimmed.
  • Essential Patches/Updates: March 2021 cumulative Windows patch fixed “PetitPotam” NTLM relay; although email-* does not use it, apply to keep lateral movement options closed.

4. Other Critical Information

  • Unique Characteristics:
  • Victim-specific e-mail address included in every file name; convenient IOC but also social-engineering tactic (users instinctively e-mail “support” address).
  • Employs Living-off-the-Land commands (bcdedit /set {default} recoveryenabled No, wbadmin delete catalog, vssadmin resize).
  • Skips %WINDIR%, %PROGRAMFILES%, and executables to keep machine bootable – maximizes ransom pressure.
  • Drops both info.hta (splash window) and readme.txt; ransom note lists multiple ProtonMail/Tutanota addresses.
  • Broader Impact: Hospitals hit in summer 2020 reported OT device downtime; attackers demand 0.5 – 1.5 BTC, but frequently accept 20-30 % negotiated discount. Campaigns overlap with “Dharma/CrySiS” affiliates; some victims receive second ransom demand weeks later from same actor, indicating retained back-door access – therefore always re-image entire estate after incident.