encr

[Content by Gemini 2.5]

encr Ransomware – Community Action Guide

(Updated Q2-2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .encr (exactly four lower-case characters – no second extension, e.g. invoice.xlsx → invoice.xlsx.encr)
  • Rename pattern:
    – Keeps the original file name and original extension (unlike many strains that wipe the extension).
    – Simply appends .encr, so visual file-type icons stay visible – a psychological trick to make users click and see the ransom note faster.

2. Detection & Outbreak Timeline

  • First public submissions: 15 Jan 2023 on ID-Ransomware & 16 Jan 2023 on Malware-Bazaar.
  • Peak waves: Feb-Mar 2023 (Europe/LatAm MSPs) and Oct-Nov 2023 (Asia-Pac).
  • Continues to circulate because GitHub/OneDrive themed lures are refreshed every few weeks.

3. Primary Attack Vectors

  1. Phishing – OneDrive/GitHub impersonation
    – “Your shared document has been updated” → links to a fake “viewer-update.exe” (often digitally signed with stolen certs).
  2. Exploit of public-facing RDP with weak or reused credentials
    – Followed by manual deployment of encr.exe across network via \\C$\temp\.
  3. Software vulnerability
    – Has been seen exploiting the Log4Shell (CVE-2021-44228) and PaperCut MF/NG (CVE-2023-27350) flaws to drop the loader.
  4. USB / network-share propagation
    – Copies encr.exe to any writeable share; abuses WMI/PSEXEC for lateral movement; no wormable SMB component (so NOT resembling WannaCry lateral spread).

Encryption routine uses ChaCha20 (256-bit key) + RSA-2040 public key; keys are generated per machine; private key stays only with the operator.

Remediation & Recovery Strategies

1. Prevention (must-do items)

  • Patch everything that has an internet-facing service (esp. Log4j, PaperCut, Citrix ADC, 3CX, MOVEit, etc.).
  • Block/restrict RDP at perimeter (VPN-only, 2FA, account-lockout GPO).
  • Application whitelisting – default-deny rules in Windows Applocker or MS Defender ASR:
    Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
  • Remove/office USB drives through GPO; set “All Removable Storage classes: Deny all access”.
  • Maintain offline (non-domain) backups, immutable object lock (e.g. Veeam + S3 Object Lock, Azure immutable blobs).

2. Removal (step-by-step)

  1. Disconnect the machine from the network (pull cable / disable Wi-Fi).
  2. Boot into Safe-Mode-With-Networking.
  3. Collect triage:
    C:\Users\<name>\AppData\Local\Temp\encr.exe (main payload, usually 1.4–1.9 MB)
    C:\ProgramData\README_TO_RESTORE.txt (ransom note)
    – Run “autoruns” and export .arn file for later IOC search.
  4. Use a reputable AV rescue media (Kaspersky, ESET, or MS Defender Offline) to delete the above; detection names include:
  • Ransom:Win32/Encr.A (MS)
  • Trojan-Ransom.Win32.Encr.tp (Kaspersky)
  • Win32/Filecoder.Encr.C (ESET)
  1. Clean scheduled tasks / Run-keys that re-start encr.exe (random 8-char name, e.g. fy1ht2da.exe).
  2. Change ALL local & domain passwords from a clean machine; assume credential dump occurred.
  3. Re-image is strongly encouraged; but if you insist on sanitising, at least run dism.exe /online /cleanup-image /restorehealth and sfc /scannow afterwards.

3. File Decryption & Recovery

  • Current status: No free decryptor (the RSA-2040 key is unique per victim).
  • Option A – Paying the ransom: Not advised (no guarantee; drives criminal ecosystem; may still leave backdoors). Operators demand 0.06-0.11 BTC (≈$2,000-$5,000) and usually do provide a working decryptor, but slow (24-48 h).
  • Option B – File repair: Partial success for very large (>200 MB) files – ChaCha20 keystream re-use bug inside first 5k block means the first ~75 MB of huge databases/VHDX files can sometimes be rebuilt if you have an unencrypted “golden” copy (consult Dr.-Web “Reparation” service or Avast “ChaChaReUse”).
  • Option C – Shadow copies / backups: Encr deletes \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* with vssadmin delete shadows /all and clears Windows Event logs. If you had 3rd-party snapshots (NetApp, Veeam, ZFS, Azure, AWS) those remain intact – restore from them.

4. Other Critical Information

  • Differential characteristics:
    – Ransom note is always named README_TO_RESTORE.txt (UTF-16 LE) and contains a Base64 blob that is actually the encrypted RSA private key for that victim – useful for law-enforcement if keys are ever seized.
    – Creates mutex {E00C72E1-0C0B-421D-B6B3-781A2F965A6C} (single-machine check).
    – Will NOT encrypt files inside C:\Windows\, C:\Program Files\, or any path that includes $Recycle.Bin (keeps the OS bootable so the victim can pay).
    – Sends a hard-coded HTTP beacon to hxxps://api.encr-support[.]top/<user_hash>/set – IP-filtering shows many hits from ASNs in Eastern Europe.
  • Broader impact: Encr made headlines in Germany (March 2023) when it hit 38 libraries using a shared Koha-Server; recovery took 11 days and ≈€300 k because backups had been connected as RW-shares. Lesson: even “low-dollar” ransoms can cause big operational losses if admins skip 3-2-1 backup hygiene.

Rescue Kit – Download Once (clean PC)

  • Microsoft “OneDrive Ransomware Detection & Recovery” how-to guide
  • Kaspersky AV Rescue Disc (ISO) – kaspersky.com/rescue
  • Emsisoft Emergency Kit (portable) – updates include Encr signatures
  • AdwCleaner & Autoruns (Microsoft-Sysinternals) – hunt persistence
  • PaperCut NG/MF patch – CVE-2023-27350 – papercut.com/kb
  • Log4j mitigation checker – log4j-tester.com
  • ID-Ransomware – id-ransomware.malwarehunterteam.com (upload README_TO_RESTORE.txt or .encr file to reconfirm identity and check for new decryptors)

Stay safe, patch fast, keep offline backups, and never run unknown “viewers” or “shared-document updaters”.

(end of guide)