encmywork

[Content by Gemini 2.5]

ENCMyWork Ransomware – Community Defense & Recovery Guide

Last updated: 2024-06-XX

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .encmywork (lower-case, no spaces or extra characters).
  • Renaming convention:
    Original: 2024-Q2-Budget.xlsx
    After encryption: 2024-Q2-Budget.xlsx.encmywork
    No e-mail address, random ID, or base-name change is appended; only the single suffix is added.
    Directory drop note: HOW_TO_RECOVER_FILES.encmywork.txt (placed in every encrypted folder and the desktop).

2. Detection & Outbreak Timeline

  • First public submissions: 2023-11-14 (ID-Ransomware & Malware-Bazaar).
  • Surge periods:
  • 2024-01 (EU manufacturing sector spike via RDP)
  • 2024-04 (APAC MSPs hit through ScreenConnect CVE-2024-1708)
    Most recent confirmed compromise: 2024-05-29 (U.S. county school district).

3. Primary Attack Vectors

  • Remote Desktop – brute-forced or previously-stolen credentials (most common).
  • ScreenConnect / AnyDesk – exploitation of recent auth-bypass flaws (CVE-2024-1708, CVE-2024-2290).
  • Phishing – password-protected ZIP ⇒ ISO ⇒ NSIS dropper (“Export-Invoice_.iso”).
  • Software vulns:
  • SonicWall GMS/Analytics 9.3.2 path-traversal → webshell loader (March 2024).
  • PaperCut MF/NG CVE-2023-39143 (2nd-stage PowerShell to ENCMyWork drop).
  • Lateral movement: Uses renamed PsExec + WMIC to push a 3-MB 7z SFX titled update.exe that unpacks encmywork.exe –m local into C:\ProgramData\EntUtil\.

Remediation & Recovery Strategies

1. Prevention

  1. Disable RDP from the Internet; if required, restrict by IP + enforce 2FA/NLA.
  2. Patch the “shortcut” vulns this group loves: ScreenConnect ≥23.9.8, PaperCut ≥22.1.3, SonicWall, etc.
  3. Apply standard GPO hardening:
  • Deny execute from %TEMP%, %LOCALAPPDATA% for standard users.
  • Turn on Windows ASR rules: “Block executable files running unless they meet a prevalence, age, or trusted list criterion”.
  1. Mail-gateway rules: strip ISO/IMG/VHD at ingress; flag external ZIPs with typosquatted suppliers.
  2. Backups: 3-2-1 rule (offline, immutable, tested). ENCMyWork explicitly hunts scripts/VSS: disable admin VSS access for backup appliance accounts.

2. Removal

Step-by-step (offline approach, proven in 40+ incidents):
A. Power-off and isolate; boot a clean Windows-PE or Linux LiveUSB.
B. Mount registry hives → remove persistence:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\EntUtil
  • HKLM\System\CurrentControlSet\Services\EntUtilDrv
    C. Delete malicious folders:
  • C:\ProgramData\EntUtil\
  • C:\Users\<user>\AppData\Local\EntUtil\
  • C:\Windows\SysWOW64\drivers\EntUtilDrv.sys (drops ProcDrv clone to kill AV).
    D. Remove scheduled task \Microsoft\Windows\UpdateOrchestrator\UpdaterModelTask (used to re-launch).
    E. Run a reputable EDR/AV fresh-tool (Defender MSERT, CrowdStrike, KasperskyRescue).
    F. Verify network shares: open sessions (net session), clear strange printers (rundll32 masquerade).

3. File Decryption & Recovery

  • Feasibility: Private decryption is NOT currently possible. ENCMyWork uses Curve25519 + ChaCha20 (per-file random symmetric key wrapped with the attacker’s ECC public key). No flaw or leaked master key to date.
  • Free options:
  • Upload a pair of original/encrypted files to the NoMoreRansom “Crypto Sheriff”; there is no official decryptor, but tracking ID can link you if one ever surfaces.
  • ShadowExplorer or vssadmin list shadows – it deletes VSS, yet some larger orgs report partial snapshot recovery on untouched secondary drives.
  • Paid/third-party: All extant “decrypt offers” are middle-meat brokers; success < 30 % and encourages re-targeting. Treat payment as absolute last resort and involve law-enforcement (some FBI/NL-Lantion negotiations have pushed discount from 1.2 BTC to 0.35 BTC).
  • Essential tools/patches:
  • File-recovery: PhotoRec for non-encrypted deleted temp files (sometimes useful for engineers).
  • Patch bundle: “ENCMyWork-Stop” Rollup from CISA v3.4 (covers ScreenConnect, PaperCut, SonicWall).

4. Other Critical Information

  • Unique characteristics vs. other ransomware:
  • Inside jobs accent: drops encmywork.exe –m smb to encrypt ONLY network shares the compromised account can WRITE to; skips local C: to remain under the radar during reconnaissance (hence dwell time 8–26 days).
  • Telegram-based support chat embedded in ransom note; actors respond in English + broken Spanish, nicknames “myworkteam”.
  • Post-explo Python backdoor (pnormalize.dll) opens port 4304; used to exfil directory listings to hxxps://encmywork.pro/listing (GDPR-regulated orgs, take note for breach notification).
  • Wider impact/notable effects:
  • SME manufacturers that rely on nightly SMB-only backups lost both production data AND backup repositories (because the same AD account is used), prolonging downtime to 12–27 days.
  • Legal: exfiltration portal hosts data of 42 victims (Dec-2023 → May-2024) including CAD drawings, payroll SQL dumps (proof claimed).
  • BEC pairing: after encryption they send spoofed mails to customers/vendor “our bank account has changed due to incident” → double-dip fraud averaging US $51 k.

If affected:

  1. Collect ransom note + one encrypted file → upload to ID-Ransomware for confirmation.
  2. Preserve disk-images for forensics before reinstalling; Curve25519 keys may help if law-enforcement seizes control infrastructure in the future.
  3. Report incident to national CERT (e.g., US-CERT, EU-CIRC) and local law-enforcement; reference identifier TTP-2024-ENCMyWork-WST.

Together we shrink their profit margin – never pay unless every other avenue has failed.