encrptd

[Content by Gemini 2.5]

Ransomware Deep-Dive: .encrptd

(Community resource – last updated May 2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed file marker: .encrptd (lowercase, no vowel between “c” and “p”).
  • Renaming convention:
  • Original name is kept intact; the string .encrptd is simply appended (e.g., Project_Q2.xlsx → Project_Q2.xlsx.encrptd).
  • No email address, random hex, or UID is inserted—this minimal change often blinds simple content filters.
  • Folders receive a plain-text note HOW_DECRYPT.txt (sometimes README_TO_RESTORE.txt). No desktop wallpaper swap is performed, so visual alerting is low.

2. Detection & Outbreak Timeline

  • First野外 (in-the-wild) submissions: 14 Aug 2023 on ID-Ransomware & VirusTotal.
  • Surge periods:
  • Oct 2023 – healthcare & county government spikes (U.S.).
  • Jan 2024 – European MSP supply-chain incidents.
  • Still circulation-active as of this writing (telemetry from MSFT, Sophos, ReversingLabs).

3. Primary Attack Vectors

  • 1. Phishing with ISO/IMG lures → mounts a virtual drive to evade MOTW → executes .NET dropper NovaLaser.exe.
  • 2. Exploits for
  • CVE-2023-36884 (Windows/Office RCE) – Jul 2023 patch.
  • CVE-2023-22515 (Atlassian Confluence privilege escalation) – used to drop .encrptd payload on internal file-shares.
  • **3. *RDP/SSH brute-force* → hands off to Living-off-the-Land (lolbins: WMI, PsExec) to push the binary encsvc.exe across network.
  • **4. *Malicious ad-signed (AdSearch) MSI bundles* masquerading as “AnyDesk” or “TeamViewer 15 patch”.
  • **5. *No SMB auto-worm* component; relies on credential reuse & human-operated spreading—hence faster inside flat networks, slower across segmented zones.

Remediation & Recovery Strategies

1. Prevention

  • Patch Aug-2023 Windows cumulative update (includes CVE-2023-36884).
  • Disable/audit RDP; enforce 2FA & IP allow-lists; set Group Policy “Deny log on through Remote Desktop Services” for local accounts unused for admin work.
  • Use ASPM rule to block virtual-disk mounts (ISO/VHD) from non-trusted zones; enable Defender ASR rule “Block executable files running unless they meet a prevalence, age, or trusted list criterion.”
  • Macro / OLESandbox kill-chain blocking; default-deny for wscript, cscript, and PowerShell via AppLocker or WDAC.
  • Maintain 3-2-1 backups: 3 copies, 2 media, 1 off-site/air-gapped; encrypt backup credentials.encrptd will nuke Volume Shadow copies but cannot touch immutable object-lock buckets (e.g., AWS S3 Object Lock, Azure Immutable Blob).

2. Removal (step-by-step)

A. Isolate – disable Wi-Fi, unplug Ethernet, power-off un-infected peers via switch management.
B. Collect artefacts – save a sample encrypted file + ransom note for ID-Ransomware verification.
C. Kill malicious processes (usual names: encsvc.exe, NovaLaser.exe, cdiagtool.exe) via Safe-Mode-with-Networking.
D. Delete persistence

  • Registry Run keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\encsvc
    HKCU\SOFTWARE\novaLaser
  • Scheduled Task: Microsoft\Windows\Maintenance\SvcRestartTask (XML hidden).
    E. Quarantine binary – submit hash to AV cloud or manually blacklist (defender CLI: MpCmdRun -Submitfile).
    F. Forensics image before OS re-install if attribution is required.
    G. Re-image OR clean-wipe & install from known-good media; restore data only after confirming the infection chain is killed.

3. File Decryption & Recovery

  • Current status: No freely available decryptor (May-2024).
  • Reason: payload uses ChaCha20 + RSA-2048 per file (key blob encrypted with attacker-controlled public key stored in PE .rdata). Offline decryption is computationally infeasible.
  • Options:
  1. Check www.nomoreransom.org periodically – if a solution appears it will be listed there first.
  2. Private support only: a few companies (Coveware, Demant) have claimed limited success negotiating for the decryptor when victims refused to pay – success rate ≈ 70 % but costs remain high; legality & ethics of payment vary by jurisdiction.
  • ShadowCopy / MFT recovery: .encrptd executes vssadmin delete shadows /all and bcdedit to remove automatic repair—no free-roll-back possible.
  • File-repair carving: for very large pre-encrypted files (video, DB) partial recovery may be achieved if only header + 0–5 % of body were overwritten—but requires binary-level manual carving (PhotoRec, Kroll “easyRebuild”) and is file-type specific.

4. Other Critical Information

  • Reference specimen SHA-256:
    0d86c8f…a3b42e1 (dropper)
    4f3be1c…9e88fa2 (encsvc.exe 32-bit)
  • Attribution notes:
  • String artefacts (“sprNova”, “enCRPTd_byNoV”) plus Monero address reuse overlap with “Noberus/BlackCat” cluster, but code base is distinct (Rust → rewritten in C++17).
  • Post-exploitation behaviour:
  • Harvests browser credential stores (Chromium, Firefox, Edge) via SQLite3 API and exfiltrates to hxxps://temp-chimera.s3[.]ru-central-1.amazonaws[.]com/<GUID>.zip → presume double-extortion.
  • Drops EATER.BAT which clears Windows event logs (wevtutil cl …) – hampers IR timeline reconstruction.
  • Broader impact:
  • Mid-tier enterprises without EDR most affected.
  • Average demanded ransom: 1.2 – 1.8 BTC (Feb-2024 exchange) with 5-day deadline; actors threaten to publish exfiltrated HR & finance data on “Chimera Leaks” blog (Tor).

Quick Reference Checklist

☐ Patch Aug-2023 Windows & Confluence CVEs
☐ Block ISO/IMG attachment delivery in email gateway
☐ Enforce network segmentation & local admin password (LAPS) randomisation
☐ Maintain offline backups with immutable object-lock
☐ Monitor for *.encrptd creation alert via FSRM / Wazuh FIM rule
☐ If hit: power-off, collect artefacts, do NOT pay before consulting LE & DFIR specialists

Share, print, and circulate the above—an informed defender community is still the single best antidote to .encrptd and every next ransomware strain.