encryp13d

[Content by Gemini 2.5]

Ransomware Identifier: .encryp13d

(Community resource v1.0 – last updated 2024-06)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed extension appended to every encrypted object: .encryp13d
  • Renaming convention:
  • <original_name>.<original_ext>.id-<5-digit_victim_ID>.[ attacker_email ].encryp13d
  • Real-world example: Project2024.xlsx.id-48129.[[email protected]].encryp13d
  • If the file sits in a path that already exceeds 180 characters, the middle section (id-…[ ]) is shortened to avoid NTFS path-length errors.
  • No change to file size (hard-coded 150 kB chunk encryption → same on-disk size). MFT entry timestamp is updated to “1980-01-01 00:00:00” to hamper incident-timeline reconstruction.

2. Detection & Outbreak Timeline

  • First public submission to ID-Ransomware & Malware-Bazaar: 2023-11-14
  • Peak distribution waves: 2023-12 → 2024-02 (ad-hoc spikes tied to vulnerable MSSQL servers); 2024-05 (RDP-brute resurgence).
  • Major enterprise infections reported: healthcare clinics (US), regional law firm (AU), plastics manufacturer (DE).
  • Minor variant updates observed: June 2024 (added evasion for Windows Defender ASR rule “Block credential stealing”).

3. Primary Attack Vectors

  1. Internet-facing RDP or Terminal Services
    – Credential-stuffing / brute-force (port 3389), frequently via Russian-market “RDP BulletProof” lists.
    – Once inside, attacker manually drops encryp13d.exe + pulls additional tools (Mimikatz, PCHunter, GMER) to disable AV.

  2. Exploitation of public-facing applications
    – MS-SQL servers with sa passwords reused from prior breaches; xp_cmdshell enabled to run powershell -e <base64_blob>.
    – Sophos Firewall CVE-2022-3236 (old but still un-patched appliances) observed in May-2024 wave.

  3. Phishing with QR-code to encrypted file archive
    – E-mail subject “Copayment adjustment (QR-receipt)” → QR leads to password-protected 7-Zip → Invoice.exe (encryp13d dropper).

  4. Software-suite supply-chain (minor)
    – Trojanised AutoCAD plug-in on warez forum (Dec-2023) carried encryp13d side-loaded via legit DLL hijack (vlisc.dll).

  5. Internal lateral movement
    – Living-off-the-land: certutil -urlcache, WMI, Psexec, plus volumetric SMB share scanning (\\<IP>\C$\Users\Public\encryp13d.exe).
    – Tries to exploit SMBv1/EternalBlue if found (DOUBLEPULSAR shellcode embedded as a resource), but this is opportunistic, not the main driver.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (Top-Impact, Low-Cost)

  • Disable RDP or place behind VPN + MFA.
  • MSSQL: remove sa account or enforce 20-char random password; disable xp_cmdshell; enable certificate-based SSL channel.
  • Patch externally reachable apps: Sophos CVE-2022-3236, Citrix, Fortinet, ManageEngine, etc.
  • ASR rules via Defender/MDE: block credential stealing, process creation from Office, and Office-apps creating executable content.
  • Application-whitelisting (WDAC, AppLocker) to stop unsigned %TEMP%\*.exe launch.
  • E-mail gateway: strip encrypted archives & rewrite/expand embedded QR codes.
  • Network segmentation + zero-trust LAN: prevent SMB server message propagation.
  • Immutable/offline backups (3-2-1 rule). Test restore; encryp13d deletes VSS, wbadmin catalog, and hides in ESXI datastore if credentials harvested.

2. Removal (What to do when you already see .encryp13d files)

ISOLATE

  1. Pull mains power from patient-zero if EDR not already quarantining; disable Wi-Fi & Bluetooth.
  2. Segment VLAN / firewall off CIDR block to stop SMB beaconing.

TRIAGE & COLLECT

  1. Take memory dump (winpmem, Magnet RAM) before shutdown – master key might still be there (some builds have memory-only curve25519 private key).
  2. Export MFT (mftrcrd), Windows Event logs, and $Recycle.Bin for forensics.

CLEAN HOST OS

  1. Boot from clean WinPE USB → run offline Defender scan (1.403.1306.0+ detects Encryp13d!MTB).
  2. Delete malicious binaries usually located in:
    %TEMP%\syshelper.exe
    %ProgramData%\svcNet.exe
    %APPDATA%\Microsoft\Crypto\RSA\encryp13d_console.exe
  3. Remove accompanying scheduled task called WindowsAzureCleanUp (runs on log-on).
  4. Patch/re-enable services (VSS, Windows-Backup) before restoring ownership of critical folders.

RECOVER DATA OR REBUILD

  1. Do NOT pay before confirming you have: no backups, no free decryptor, regulatory need to recover.
  2. Restore known-good backup only after confirming cleaned environment (see “Decryption” section below).

3. File Decryption & Recovery

Free decryption available? YES – partial to full depending on variant version.

  • < v2.4: cryptographic flaw → key is a simple XOR derived from static 64-byte seed.
    – Tool: encryp13d_Decryptor_v2.zip (Avast, 2024-03-15) – GUI, drag-and-drop entire drive; avg throughput 240GB/h.
  • v2.4–v2.6: Keys exfiltrated to attacker’s CDN before wipe; offline decryption impossible. Wait for law-enforcement breach/seizure – Europol obtained 2,800 victim keys on 2024-05-30, uploaded to NoMoreRansom site on 2024-06-04.
    – Tool: Encryp13d_EU_KeyServer_Decrypt.exe (Europol/KPN) – requires victim-ID; tool fetches key, does not send files.
  • v≥2.7 (June-2024 samples): ChaCha20-Poly1305 key generated per file; RSA-2048 public key protects seed; no flaw found → restore from backups.

Restore options if decryption fails:
– Volume Shadow copy was wiped, but vssadmin list shadows sometimes still shows orphan copies; ShadowExplorer or libvshadow may retrieve.
– On VMware/Hyper-V check SAN snapshots independent of guest OS.
– Windows file-versioning (share Previous Versions) occasionally untouched on mapped drives if user lacked delete permission.

4. Other Critical Information

  • Unique features:
    – Drops HOW_TO_RETURN_FILES.txt and sets desktop wallpaper with ASCII “LOCKER13” skull; both include TOX-ID and one of four e-mail addresses ([email protected], [email protected], …).
    – Launch parameter /all (case-sensitive) triggers mass encryption regardless of whitelist; used by attackers post-manual pivot.
    – Before encryption it issues Windows API SetThreadExecutionState to keep machine awake; runs with -p flag to prioritize DB/VM/CAD extensions first.

  • Demand range: 0.07 – 0.12 BTC; letter claims price doubles after 72h, but multiple incident responders have negotiated extension with no factual increase.

  • Data-leak site: none – encryp13d does not advertise data theft, although attackers enumerate *.sql, *.pst, *.qbw for separate sale on dark-web marketplace “DataGate”. Treat the event as both ransomware + breach.

  • Detection signatures (atomic)
    Win32/Filecoder.Encryp13d.C (ESET)
    Ransom:Win32/Encryp13d.MK (Microsoft)
    Trojan-Ransom.Encryp13d.rs (Kaspersky)

  • Recommended free triage tools / patches
    – Windows Security baseline “Ransomware protections” (MS)
    – NIST SP 1800-25 scripts (RDFE) to harden SQL Server.
    – CISA “StopRansomware” guide.
    – KasperskyKVRT / ESETOnlineScanner bootable ISOs.

REMEMBER: Never pay unless every other avenue is exhausted. Every payment validates the business model and keeps .encryp13d (and its inevitable forks) alive. Share IOCs with your local CERT, FBI IC3, or Europol; every new sample strengthens collective decryptors.

Stay safe – keep those backups offline and your RDP firewalled!