enciphered

[Content by Gemini 2.5]

Ransomware Report – “.enciphered” Variant

(Community Edition – last updated 2024-06)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension added: .enciphered (lower-case, no space, appended after the original extension).
  • Renaming convention:
    original_name.original_ext.[victim_ID].enciphered
    Example: Invoice_G2024.pdf → Invoice_G2024.pdf.9A7B3C.enciphered
    The 6-byte victim ID is randomly generated on first run and stored in the registry (HKLM\SOFTWARE\Enciphered\victim_id).
  • Dropped marker file: HOW_TO_RESTORE_FILES.enciphered.txt (identical text in every folder).

2. Detection & Outbreak Timeline

  • First public submission: 2023-09-14 (MalwareBazaar hash ed11a4…).
  • Peak activity window: October 2023 – January 2024; sporadic campaigns still observed in Q2-2024.
  • Clustering: Most samples compile-timestamp within 24 h of campaign, indicating frequent rebuilds to evade AV.

3. Primary Attack Vectors

  1. Phishing with ISO/IMG lures – e-mails impersonating “Voicemail” or “Document Cloud” contain an attached ISO;挂载后ISO内包含一个被混淆的.NET加载器,最终释放Enciphered有效负载。
  2. ** vulnerable, public-facing RDP** – brute-forced or bought credentials; once inside, PsExec + batch script pushes the ransomware to every reachable host.
  3. Drive-by via Raspberry-Robin worm – existing RB infection pulls Enciphered via TOR-based DLLs (observed Q1-2024).
  4. Exploitation of Citrix NetScaler (CVE-2023-3519) – used for perimeter entry in at least three manufacturing victims.

Remediation & Recovery Strategies

1. Prevention

  • Disable SMBv1 / apply MS17-010 (EternalBlue patch) – Enciphered uses SMB for lateral movement even though it does not exploit EthernalBlue directly.
  • Enforce 2FA on ALL remote-access paths (RDP, VPN, Citrix).
  • E-mail gateway: strip ISO/IMG, VBA, and JavaScript; require MFA for mailbox rule changes.
  • GPO to block Office macros from the Internet; disable Mark-of-the-Web bypass.
  • Network segmentation + ADC rule: deny SMB/445 between user VLANs.
  • Deploy modern AV/EDR with behaviour-based ransomware shield (e.g., Defender ASR rules: “Block credential stealing from LSASS”, “Block process creation from Office”).
  • Immutable, hybrid backups (3-2-1) – at least one copy off-line / write-once.

2. Removal (Step-by-step)

  1. Power-off effected Windows hosts or isolate at network level to stop encryption thread.
  2. Boot a clean Windows PE / Linux AV-rescue USB.
  3. Remove persistence:
  • Scheduled task EncipheredTaskC:\ProgramData\SrvHlp\enciphered.exe /s
  • Run keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\EncipheredSupport = SrvHlp\enciphered.exe
  1. Delete malware folder: C:\ProgramData\SrvHlp\ and C:\Users\Public\Libraries\hib3.dll.
  2. Clear rogue local accounts: net user tmpbackup$ /del.
  3. Patch the intrusion vector (reset breached AD creds, apply Citrix ADC patch, etc.).
  4. Run a full AV/EDR scan ×2 to verify clean baseline.
  5. ONLY AFTER the environment is declared clean, proceed to restore data – do NOT log-in with domain-admin prior.

3. File Decryption & Recovery

  • No flaw found (yet): AES-256-CBC + random 256-bit key, RSA-2048 public-key encryption of that AES key. Keys are uploaded to attacker server; no offline decryption tool exists.
  • Victim portal: <victim_ID>.enciphered247[.]com (TOR mirror). Ransom demand averages USD 1.2 M (Oct-2023) – negotiable down to ~0.4 M.
  • Free decryptor: None (verified by NoMoreRansom, Emsisoft, Avast).
  • Recovery path: rebuild from offline backups or negotiate+test decrypt only if no backup and business-critical.
  • Essential tools/patches:
    – Bitdefender “EncipheredClean” disinfection utility (sig v1.7, 2024-03-27).
    – MS patch roll-up for CVE-2023-3519 (Citrix), KB5028477.
    – MS Defender ASR template “Ransomware protection” (group policy import).

4. Other Critical Information

  • Data exfiltration: The ransomware drops “ExFil.exe” (Go-based) and uploads ~50 GB of “interesting” file-types (xlsx, dwg, qbwp, sql, pdf) BEFORE encryption. Even if you restore from backup, attackers threaten to publish.
  • Kill-switch: creating the mutex Global\EncipheredWipeMutex2023 will prevent the wiper/deletion routine; useful during IR but does NOT stop encryption.
  • Avoid double-extortion: treat every incident as a data-breach – preserve logs, engage legal counsel, notify regulators/customers within 72 h where required.
  • Notable oddity: If the language pack is Russian or Ukrainian the binary self-deletes (typical geopolitical check).
  • Wider impact: Over 110 confirmed victims across 27 countries; manufacturing and legal verticals top the list; average downtime 9.3 days (Palo Alto Unit 42, 2024-04 report).

Bottom line: “.enciphered” is a mature, double-extortion ransomware. Assume backups are your ONLY reliable escape hatch—keep them offline, encrypted, and routinely test restore.