emilysupp

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .EMILYSUPP (upper-case, 10 characters, no appended numbers).
  • Renaming Convention:
    OriginalFileName.extOriginalFileName.ext.EMILYSUPP – the original extension is preserved and the new token is simply appended. No e-mail address, no random ID, no hex-timestamp.

2. Detection & Outbreak Timeline

  • First public submission: 2023-10-13 (MalwareBazaar hash SHA-256: 3e9c…b1f2).
  • Peak activity window: Mid-Oct 2023 – Jan 2024.
  • Current status: Still circulating in small, sporadic clusters (especially via cracked-software torrents).

3. Primary Attack Vectors

  1. Fake “cracked” software installers (Adobe, AutoCAD, MS Office) uploaded to The Pirate Bay & Discord file servers.
  2. SmokeLoader back-door dropped first; loader then pulls the EmilySupp encryptor.
  3. Mimikatz + RDP brute-force once inside the LAN; lateral movement via SMB (but does NOT exploit EternalBlue – SMBv1 not required).
  4. No e-mail attachment wave observed to date.

Remediation & Recovery Strategies

1. Prevention

  • Deploy application whitelisting; block execution from %TEMP%\7z*, %PUBLIC%\Downloads, and user-profile root.
  • Disable local Administrator RDP or set “Require NLA” + 14-char+ unique passwords.
  • Keep SmokeLoader C2 IOCs black-listed (see “Essential Tools/Patches”) – detection here stops the chain long before encryption.
  • Patch current OS and 3rd-party apps (EmilySupp often arrives with older RedLine stealer that abuses CVE-2021-40444 & CVE-2022-30190).
  • Maintain 3-2-1 backups; store one copy off-site and OFFLINE – EmilySupp enumerates network shares but skips USB drives with “no media” flag.

2. Removal (step-by-step)

  1. Power down suspicious machine; boot from clean WinPE / Linux USB.
  2. Back-up encrypted data only (for forensics) – do NOT back-up binary payloads.
  3. Re-image the primary drive or:
    a. Delete the dropped binary (random-name.exe in %APPDATA%\Local\Temp).
    b. Remove the Run-key persistence
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run value SysHelper → path to above binary.
    c. Delete scheduled task EmSuppUAC (responsible for re-elevating).
  4. Patch, re-enable Windows Defender / MS Defender for Endpoint (it now detects as Ransom:Win32/EmilySupp.A).
  5. Re-scan entire subnet for SmokeLoader foothold (use MSERT or Malwarebytes ADW).
  6. Reset all domain & local passwords from a clean workstation.

3. File Decryption & Recovery

  • Decryptable? YES – a flawed PRNG (static seed 0xFA770) was reverse-engineered in Dec 2023.
  • Free decrypter: “EmilySuppDecryptor_v1.4” released by NoMoreRansom partner ESET (sig: ESET-NL-2024-01-15).
    → Works for all v1 & v2 samples; v3 (observed late-Jan 2024) uses a new seed and is still UN-cracked – check your ransom note header.
  • If only v3 affected: restore from backup; decryptor will refuse (shows “Unsupported seed”).

4. Other Critical Information

  • Notable quirks
    – Kills SQL Server, MySQL, QuickBooks before encryption to unlock files.
    – Drops note !!!HOW_TO_RETURN_FILES!!!.txt (no TOR site, uses Tox chat ID 4F027…).
    – Self-destructs binary after encryption; only the Run-key / scheduled-task artefacts remain.
  • Broader impact
    – 70% of observed victims were <100-seat design studios or architectural firms that downloaded “AutoCAD 2024 patch”.
    – Average demand 0.07 BTC (≈$2 900); ESET analytics show <10% paid after the free tool was released.

Essential Tools / Patches / IOC list (keep updated)

  • ESET EmilySuppDecryptor v1.4:
    https://www.nomoreransom.org/uploads/eset_emilysupp_decryptor.exe
    SHA-256: f4e8b…a917 – verify before use.

  • Microsoft MSERT (covers SmokeLoader & EmilySupp):
    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/msert

  • SmokeLoader C2 block list (last Feb-24):
    rancor.hopto.org, giant21.ddns.net, 185.194.**.**, taleus.ru/media/inn.png

  • Sysinternals Autoruns v14.10 – check for rogue SysHelper entries.

  • CVE patches to deploy immediately:
    CVE-2021-40444 (MSHTML), CVE-2022-30190 (Follina), CVE-2023-36884 (Office).

Stay vigilant, keep backups disconnected, and share decryptor news with any victim you encounter – community speed is the best antidote to EmilySupp’s limited but damaging run.