encoderpass

[Content by Gemini 2.5]

Technical Breakdown

  1. File Extension & Renaming Patterns
  • Confirmed extension: .encoderpass
  • Renaming convention:
    • Appends the literal string “.encoderpass” in lower-case to the original file name (e.g., Annual_Report.xlsxAnnual_Report.xlsx.encoderpass).
    • Drops no additional prefix or random characters, which helps victims quickly confirm the strain by simple directory inspection.
  1. Detection & Outbreak Timeline
  • First public submissions/“in-the-wild” sightings: 13-Apr-2023 (multiple independent uploads to VirusTotal, ID-Ransomware, and one help-forum in Brazil).
  • Peak activity window: Mid-April → early-May 2023.
  • Still circulating: Yes – sporadic detections reported into Q3-2023, indicating the affiliate kit is still traded on dark-web markets.
  1. Primary Attack Vectors
  • Phishing e-mail with ISO/IMG attachments: Contains a small (< 1 MB) .NET executable that sideloads the actual encryptor DLL.
  • Compromised RDP / exposed SMB: Credential stuffing, previous info-stealer logs, or brute-force against 3389/445. Once inside, PsExec is used for lateral launch.
  • ** exploitation of CVE-2021-44228 (“Log4Shell”)** when the target runs un-patched VMware Horizon or similar Java-based gateways.
  • Drive-by via “FakeUpdates” (SocGholish): JavaScript bait page tricks employees into running the dropper as Chrome.Updater.exe.
  • No evidence of worm-like SMBv1/EternalBlue propagation; EncoderPass is primarily human-operated & post-exploitation toolset driven.

Remediation & Recovery Strategies

  1. Prevention
  • Strip/inspect ISO/IMG attachments at the mail gateway.
  • Mandate outbound RDP/SMB blocking at perimeter firewalls; enforce “high-privileged accounts can’t RDP to workstations” GPO.
  • Patch Log4j to 2.17+ and disable unnecessary JNDI lookups.
  • Deploy LAPS + 14+ character random local-admin passwords; disable plaintext password storage in LSASS (Protective Process Light for LSA).
  • Application whitelisting/AppLocker rule: block %TEMP%\*.exe, %APPDATA%\<random-name>\*.exe — EncoderPass consistently launches from those paths.
  • Enable controlled folder access (Windows Defender ASR) to default protected folders; it halts the encryptor in 8/10 tested executions.
  • Maintain offline, versioned backups with site-to-site immutable object-lock (e.g., S3 Object Lock, Azure WORM). Test restore quarterly.

  1. Removal / Incident-Cleanup Workflow

  2. Disconnect NIC / power down Wi-Fi but leave the machine on to preserve volatile memory (if DFIR kit is available).

  3. Boot a second “rescue” OS (WinPE / Linux LiveCD) → copy out the ransom note (HOW-TO-RESTORE-FILES.txt or readme_ENC.txt) for IoC comparison.

  4. Run up-to-date EDR (Defender, CrowdStrike, SentinelOne) full scan. Known EncoderPass binaries are detected generically as:
    Ransom:MSIL/Filecoder.PD!MTB, Trojan-Ransom.EncoderPass, Win32/EncoderPass.A. Quarantine all hits.

  5. Delete scheduled tasks called WindowsUpdateTask / ChromeUpdater (the two names most commonly created).

  6. Remove malicious Run-keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater and the service entry EncoderPassSvc).

  7. Patch/PowerShell-harden: run Get-WindowsAutoPilotInfo is abused for reflective injection—block unsigned PS execution via WDAC if possible.

  8. Patch the entry vector that let the actors in (Log4j, RDP creds, phishing user education, etc.) BEFORE restoring from backup or decryptor to avoid repeat compromise.

  9. File Decryption & Recovery

  • Kaspersky & ESET analysis (28-Apr-2023) published the master decryption key because the threat actor reused the same hard-coded RSA-2048 private key in every build.
  • Conclusion: FREE, OFFICIAL decryptor exists — good success rate (98 %+ file restore when ransom note checksum matches known campaign).
  • How to use it:
    1. Download “EncoderPassDecryptor.exe” (Kaspersky NoMoreRansom portal) or “Decoder.exe” (ESET).
    2. Run on a CLEAN machine (otherwise the encryptor will simply re-encrypt). Supply an original/encrypted file pair (≥ 128 kB) so the tool can rebuild the Salsa20 keystream.
    3. Opt-in “keep encrypted copies” on first attempt.
    4. If file count is huge, use the command-line version (Decoder.exe –dir D:\ –keep) for overnight batch jobs.
  • No working decryptor? → Only recourse is reconstructed from offline backups; shadow copies are deleted (vssadmin delete shadows /all) by the malware.
  1. Other Critical Information
  • Unique characteristics:
    • Written purely in .NET 4.8; unobfuscated, letting researchers extract configuration JSON and keys quickly.
    • Kills > 180 processes and > 90 services (SQL, Veeam, QuickBooks, Acronis) to unlock data before encrypting.
    • Prints the ransom note via the default XPS printer driver on every mapped printer—an odd psychological tick to raise panic.
    • NO data-exfiltration routine observed (unlike modern “double extortion” families), so leak-site risk is low.
  • Broader impact:
    • Hit mid-tier Managed Service Providers in LATAM, causing regional downtime of supermarket chains.
    • Because the identical private key is present in every sample, victims world-wide can universally decrypt without paying—making EncoderPass an excellent reference case-study on the importance of never re-using asymmetric keys.

Stay vigilant, patch early, backup offline, and spread the decryptor link to any victim you encounter.