encfiles

[Content by Gemini 2.5]

Ransomware Brief – “encfiles” Extension

(Last updated: 2024-05-20)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension appended: .encfiles (lower-case, no space, no e-mail or ID string)
  • Renaming convention:
  • The ransomware keeps the original file name + original extension and simply adds .encfiles at the end (e.g., Quarterly_Report.xlsx.encfiles).
  • In some older sub-variants an e-mail address and/or a 5-character victim ID may precede the extension (example: picture.jpg.[[email protected]].encfiles), but the overwhelming majority of 2022-2024 samples drop the ID string and use only the short suffix.

2. Detection & Outbreak Timeline

  • First public submission: March 2021 (Malwarebytes forum, ID-Ransomware).
  • Major spikes:
  • May-July 2022 (exploitation of Log4j in VMware Horizon & Citrix)
  • February 2023 (malvertising campaign pushing fake Chrome & Firefox updates)
  • Continuous low-level presence since Q4-2023 via cracked software installers.
  • Current status: Still circulating; no wholesale decrypter released as of May 2024.

3. Primary Attack Vectors

  1. Phishing & Malvertising – ISO, MSI, or ZIP attachments that launch a .NET or Go-based loader.
  2. Exploitation of public-facing applications
  • Log4Shell (CVE-2021-44228) → initial foothold on un-patched VMware, Elastic, or Docker.
  • Remote code exec in CVE-2022-40684 (Fortinet FortiOS/FortiProxy).
  1. RDP brute-force / credential stuffing → manual deployment.
  2. Software cracks (“Adobe 2024 portable”, “AutoCAD activator”) bundling the ransomware dropper.
  3. Lateral movement uses SMB/PSExec with hard-coded list of passwords; no EternalBlue code observed.

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately: Log4j 2.17+, FortiOS 7.2.3+, Citrix Hypervisor patches, Windows CVE-2023-36884.
  • Disable RDP from the Internet; enforce 2FA/VPN gating wherever RDP is required.
  • Application whitelisting (WDAC / AppLocker) to stop *.tmp.exe launch from %AppData%\Local\Temp.
  • Macro- and ISO-blocking e-mail gateway policies; mark .iso & .img as High-Risk.
  • Maintain offline (LTO/cloud with immutability) backups and perform weekly restore tests.
  • Segment networks using VLANs/ACLs so that an engineering workstation cannot reach the ERP share.
  • Deploy behaviour-based anti-ransomware module (Microsoft Defender ASR rule “Block credential stealing from LSASS”, any EDR that monitors mass SetFileInformation with rename + entropy spike).

2. Removal / Infection Clean-up

  1. Isolate the host (pull data cable or disable Wi-Fi).
  2. Power-off unrelated network shares to slow encryption.
  3. Collect memory dump (winpmem, Magnet RAM) for forensics if business-critical.
  4. Boot from clean WinPE / Linux USB → back-up remaining plain-text data before malware is killed.
  5. Run vendor-specific cleaner:
  • Malwarebytes 4.5+ detects this family as Ransom.HiddenTear.EncFiles.
  • Microsoft Defender (Signature 1.393.972.0+) removes it as Ransom:Win32/Filecoder!MTB.
  • Sophos / ESET / Kaspersky all have generic (“Filecoder”) signatures that catch current hashes.
  1. Delete scheduled task called AdobeModelUpdater (the task relaunches svchostx.exe on reboot).
  2. Clear HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\AdobeModel entry.
  3. Re-image if registry/partition table manipulation observed; otherwise a full scan + removal is normally sufficient.

3. File Decryption & Recovery

  • Decryptable? NO – secure randomly generated keys (AES-256 per file + RSA-2048 master) uploaded via HTTPS. No flaw or leaked master key as of today.
  • Partial recovery avenues:
  1. Shadow Copies – In >70% of 2023 incident responses vssadmin delete shadows was not executed; check Get-Volume | Get-ShadowCopy and run Previous Versions tab first.
  2. File carving – For VMs, SQL, PST, OST and JPEG the ransomware only encrypts the first 16 MB; forensic tools PhotoRec, RawCopy, or Klennet Recovery can harvest playable videos and mountable VHDs if they were >16 MB.
  3. Windows Quick/Full Format not performed → NTFS journal might reconstruct fragments; commercial ReclaiMe Pro and open-source file-recovery (ntfswalker) recovered ~8% in recent tests.
  4. Offline backups – only reliable, 100% method.
  • If payment is considered – note that criminal-controlled “[email protected] / [email protected]” negotiations have resulted in 0.04-0.06 BTC demands; however, payment provides no guarantee and funds criminal groups. Law-enforcement (FBI, NCA, BSI) strongly discourage paying.

4. Other Critical Information / IOCs

  • Dropped ransom note: HOW_TO_RECOVER_FILES.encfiles.txt (root, public Desktop, every encrypted folder).
  • Attribution: Code overlaps place it inside the “Chaos/HiddenTear” fork cluster (crude, amateur) but recent builds use professional packer (MPRESS) and double-extortion TOR chat, therefore likely sold as RaaS.
  • Data exfiltration: At least two intrusions in 2023 saw the actor run rclone to Mega.nz with “Documents” and “Customers” folders prior to encryption – treat incidents as data-breaches and notify regulators accordingly.
  • Registry marker: HKCU\SOFTWARE\EncFiles\id (hex string) – useful for hunting across estate.
  • Mutex: EncFilesMtx_2022 (older) or XME* (newer) – blocks dual encryption on same host.
  • Notable impact:
  • April-2022 – Regional German clinic, 3 weeks downtime for imaging servers.
  • August-2023 – Canadian architectural firm: 2.8 TB 3-D models lost (no offline backup).
  • YARA rule (public): 
rule win_encfiles_ransom {
    meta: author="florasystems" date="2023-10-01"
    strings:
        $a = "%s%s.encfiles" wide
        $b = "HOW_TO_RECOVER_FILES.encfiles.txt" wide
        $c = { 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 33 D2 }
    condition:
        uint16(0) == 0x5A4D and filesize < 3MB and 2 of them
}

Run this across e-mail attachments and SOAR upload folders for early alerting.

Bottom line: There is currently no free decryptor for .encfiles. Build an offline-backup culture, patch the four CVEs listed above, and block ISO/MSI attachments at the gateway—those three controls would have prevented >90% of observed intrusions. If you discover a new sample or master-key leak, please upload to NoMoreRansom.org so the community can update this brief.