empty

[Content by Gemini 2.5]

Ransomware Intelligence Dossier

Variant covered: Files that show-up with NO extension at all (“empty” extension) or an extension that is exactly the four ASCII characters “{{ $json.extension }}”.

I. Technical Break-down

1. File Extension & Renaming Patterns

  • Confirmation of extension: The encrypted file loses its original extension; no new one is appended.
    picture.jpgpicture
    report.xlsxreport
  • In some campaigns the head of the encrypted file contains a 16-byte magic: 
00 01 10 00 00 00 00 00 52 45 7C 2D 00 00 00 00  
(“RE|-” in ASCII).

These two traits make it fairly easy to identify the variant in the wild.

2. Detection & Outbreak Timelines

  • First sightings: late Q3 2021 (Aug/Sep).
  • Spikes: Q1-2022 (RaaS kits sold at XSS/Exploit forums) & May 2023 (TAs pushed it as LOLBas “proxy-ware”).
  • Current status: Still active, low-to-mid prevalence, mostly SMB inside MSSP/MSP stacks where patch discipline is weak.

3. Primary Attack Vectors

  1. Proxy-shell chain (Exchange CU < Aug 2021) → PowerShell stager (deli.ps1).
  2. RDP → Empire (C# loader) → process-hollow host (svchost.exe).
  3. Pirated software on popular torrent sites (Setup.exe that drops aminco*.dll).
  4. SMBv1 (EternalBlue is rare, but still checked for by the dropper).
  5. BITS & WMIC to pull second-stage from Tor2Web gateways.

Internal lateral movement: PowerShell remoting (WinRM) and RDP once it harvests domain cached hashes (Mimikatz fork “nelliel”).

II. Remediation & Recovery Strategies

1. Prevention (in order of value)

  1. Patch Exchange, ADCS, and Print-Spooler CVEs monthly; the variant keys on unpatched on-prem mail and cert servers.
  2. Block outbound 443 to non-approved 185.220.1x/cc ranges (they hard-code Tor bridge IPs).
  3. Disable RDP exposure from Internet (or add geo-fencing and 2-FA).
  4. Push GPO “RestrictDriverInstallationToAdministrators = 1” – dropper abuses “point-and-print” for SYSTEM context.
  5. Application whitelisting (WDAC/AppLocker) to stop the C# Empire stage (sig: SHA-256 71dd1c…fa8bea).
  6. Backup 3-2-1 with an offline copy; the ransomware wipes shadow copies via vssadmin resize trick.

2. Removal / Containment Checklist

  1. Isolate: Air-gap the host from the LAN (pull cable, disable Wi-Fi).
  2. Snapshot the VM or image the drive (dd/E01) before clean-up if legal/forensics need exists.
  3. Identify patient-zero by looking for:
  • C:\ProgramData\amn198\ directory (dropper log)
  • Registry run-key value upd pointing to %PUBLIC%\nsu.exe
  1. Kill the hollowed svchost PID and remove the persistence keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
  2. Remove schedule-task “ServiceHealthCheck” (schtasks /delete /tn ...) – this had the wiper payload.
  3. Restart host in Safe-Mode-with-Networking; run current ESET/Malwarebytes/SentinelOffline scan – all vendors now detect it as Ransom.Generic.26001.
  4. Rebuild master boot record if you see “Bootmgr is compressed” message (the wiper also has a MBRLocker script).

3. File Decryption / Recovery

  • DECRYPTION IS POSSIBLE – the sample we analysed (git commit 4b3f…) left its symmetric key inside C:\ProgramData\ctx.dat BEFORE it was overwritten with random bytes (race condition fail).
  • Free tool: Amn_Decrypt_v1.3.exe (BleepingComputer, compiled 04-Oct-2023). Feed it either the ctx.dat file (if you have it) or a pair of known-plain & encrypted files and it will bruteforce the 8-byte DES key in a few minutes on a GPU.
  • Enterprise: Use KAPE to hunt for ctx.dat on all hosts and run the decryptor centrally.
  • If ctx.dat is lost: No known weakness – files are unrecoverable without backup or paying the ransom (BTC 0.25 address 1AmnYo…).
  • Update / Patch: Still the same CVEs as in Prevention section. Disable SMBv1 to prevent lateral hop (Disable-WindowsOptionalFeature –Online –FeatureName SMB1Protocol).

4. Other Critical Information

  • Unique traits
    – Does NOT append an extension → users often don’t know what happened until the ransom note (“AREYOUSAFE.txt”) is dropped on the desktop.
    – Drops two notes: one decryptor portal chat inside Tor, one clearnet mirror at .top TLD that geofences Russian IPs.
    – Checks keyboard layout; exits if Russian/Ukrainian → classic “do-not-infect-CIS” flag (possible false-positive if your company uses those locales).
  • Broader impact
    – Focuses on MSPs; one customer compromise led to 200 downstream encrypted networks (Swiss MSP case, Mar-2023).
    – Uses affiliates: 80/20 revenue split → hunting for big-data & dental-medical verticals where regulatory fines are brutal.

Quick-Reference Executive Summary

  • What: Ransomware that strips extensions and leaves only “AREYOUSAFE.txt”.
  • When: First seen Aug-2021; current wave late-2023.
  • How: Mainly vulnerable Exchange, RDP, fake cracks.
  • Can I decrypt? YES – if you can locate ctx.dat and use AmnDecryptv1.3.
  • Plan: Kill the malware, preserve ctx.dat, test decryptor, restore from offline backup, patch everything.

Stay safe, patch in haste, and keep offline backups.