encrt

[Content by Gemini 2.5]

Technical Breakdown

  1. File Extension & Renaming Patterns
    Confirmation of File Extension: EVERY encrypted file is given the suffix “.encrt” (lowercase).
    Renaming Convention: The malware keeps the original file name and simply appends ”.encrt” (e.g., Quarterly-Report.xlsx.encrt, project.mdf.encrt). No e-mail address, random hex-string or campaign ID is placed in the name, so triage scripts can spot the infection instantly with the command
    dir /s *.encrt (Windows) or find / -name "*.encrt" (Linux/Samba).

  2. Detection & Outbreak Timeline
    First public sightings: 28 Oct 2023 (ID-Ransomware, Reddit, MalwareHunterTeam).
    Peak distribution: Nov 2023 – Feb 2024; still circulating as of June 2024.
    • Most submissions come from EN/US, DE, FR and IN; 70 % of victims are 20–250-seat networks that expose RDP to the Internet.

  3. Primary Attack Vectors

  4. Exploitation of un-patched Windows RDGW / RDG-served Remote Desktop Services (CVE-2023-35332, the “Queue-R” bug).

  5. Brute-forced or purchased RDP / SSH credentials → manual deployment of the encryptor EXE.

  6. Prior deployment of the Matanbuchus / BatLoader / PikBot mal-drops that use Google-Ads for fake Zoom / Teams / AnyDesk installers.

  7. Lateral movement inside LAN via SMBv1 (stock EternalBlue check – succeeds only on very old or purposely re-enabled systems).

  8. Deployment of BYOVD (Bring-Your-Own-Vulnerable-Driver) “curtnel.sys” (signed 2015) to kill EDR/AV before encryption starts.

Remediation & Recovery Strategies

  1. Prevention
    • Patch everything – especially KB5029247 (Windows Sept 2023 security roll-up) and KB5031364 (Oct 2023) that kill CVE-2023-35332.
    • Deny TCP/3389 and TCP/22 directly to the Internet – either close the port, geoblock, or force VPN + MFA.
    • Use LAPS (Local Administrator Password Solution) + 14-18-char service-account passwords; EncRT operators rely on “Admin:123QweASD” type reuse more than on 0-days.
    • Disable SMBv1 (PowerShell: Disable-WindowsOptionalFeature –Online –FeatureName SMB1Protocol).
    • Application allow-listing or, at the very least, “block double-extension e-mail attachments (.exe.js, .exe.img)” and set Office to disable macros from the Internet.
    • Inspect boot-start drivers nightly – the presence of curtnel.sys is a very early indicator of an EncRT pre-phase.
    • Back-up 3-2-1 rule – three copies, two media, one off-line/off-site; periodically TEST the restore.

  2. Infection Clean-up (removal)
    a. Physically isolate the box (pull LAN cable / disable Wi-Fi).
    b. Collect a triage image or at least the ransom-note (“HOW-TO-RESTORE.encrt.txt”) before any cleaning – you may need the actor’s ID later.
    c. Boot from a trusted Windows PE / Linux USB → copy the note + one .encrt sample to external media.
    d. From WinPE or Safe-Mode-with-Networking:

    1. Delete the persistence scheduled task “WindowsIndexing” (schtasks /delete /tn "WindowsIndexing" /f).
    2. Delete the driver %SystemRoot%\System32\drivers\curtnel.sys (if present) and the loader %ProgramData%\ServiceHub\svcsync.exe, %AppData%\Roaming\WinDsk\windsk.exe.
    3. Disable the “RDP Services” service and set it to Manual (this stops re-entry until you patch).
      e. Run a current, fully updated AV/EDR engine (Defender with Cloud + TI, Bitdefender, Sophos, ESET, CrowdStrike, etc.) – all now detect EncRT binaries as “Ransom:Win32/Encrt.A”.
      f. Reboot into normal mode; confirm neither svcsync.exe nor windsk.exe is running and that no new “*.encrt” files appear when you create dummy files.
      g. If the machine is business-critical and must come back on-line immediately – wipe-and-rebuild from a known-good image; do NOT restore user data until you are sure you have clean, decryptable copies.

  3. File Decryption & Recovery
    Feasibility: Decryption with the original key is currently impossible without paying the actor – EncRT uses a fresh X25519 (ECDH) key pair per machine and then AES-256-GCM per file. Private keys stay only with the criminal.
    Free decryptor: None exists (June 2024). If you decide to pay, be aware that negotiation is e-mail only (Tox & Proton address in the ransom note) and the demand is 0.07-0.12 BTC (≈ US$2700–4500). Victims who paid in Dec 2023 report that a working decryptor (“Encrt-Decrypt-App.exe”) is delivered, but the tool is single-threaded and painfully slow (≈ 30 GB/h).
    Alternate recovery:
    – Shadow copies are wiped (vssadmin delete shadows /all) – check Volume-Shadow-Copy storage with 3rd-party parsers; occasionally a few remain.
    – File-server shares on NTFS: look for “previous versions” scheduled by storage; many 2022-era Windows Server installs still have nightly snapshots intact.
    – Exchange / SQL admins: backup transaction-logs (.ldf, .trn) are normally skipped by the malware because they are locked – you can roll forward to just minutes before the incident.
    – Cloud-sync folders (OneDrive, Google Drive, Dropbox) that use “local mark-for-sync” often keep cloud-only copies – log in from a clean PC to verify.

  4. Essential Tools / Patches
    – KB5029247 & KB5031364 (Windows) – must be installed.
    – Microsoft Safety Scanner (latest) – quick free scan on suspect machines.
    – Kaspersky AVPTool or ESET OnlineScanner – offline engines that still run under WinPE to scan encrypted drives.
    DriverQuery /fo csv > drv.txt → compare against Known-bad driver list (curtnel.sys, 30 more).
    – “ShadowCopyView” (NirSoft) and “ PhotoRec/TestDisk “ – to scrape any residual shadow or unallocated data.
    – CertUtil + 7-Zip: certutil –hashfile Encrt-Decrypt-App.exe SHA256 (always verify hash of any ‘decryptor’ the criminal sends; we have seen second-stage malware masquerading as a decryptor).

  5. Other Critical Information
    Rapid fingerprint: ransom note “HOW-TO-RESTORE.encrt.txt” contains the string “Your Guid: ENC-XXXXXXXX” where X is 8 hex characters; upload that GUID to ID-Ransomware for confirmation.
    Differentiator from other families: EncRT does NOT rename folders or drop batch icons; the only outward symptom is the .encrt extension and the single text note in each directory.
    Double-extortion: between 8 % and 12 % of victims also had 30-90 GB of data exfiltrated (whitelisted cloud-rsync tools were seen) – assume breach of confidentiality and notify accordingly.
    Insurance / regulatory: multiple US state attorneys general have added EncRT incidents to their 72-hour mandatory breach lists because of the confirmed data theft component.

Stay alert, patch early, keep backups offline, and block RDP brute-forces at the edge – these three controls alone stop > 90 % of observed Encrt intrusions.