encryptedjb - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: encryptedjb
Every file is appended with the literal string “.encryptedjb” (lower-case).
Example: QuarterlyReport.xlsx → QuarterlyReport.xlsx.encryptedjb
Renaming Convention:
The locker does NOT alter the original base name; it only suffixes the extra extension. This makes the ransomware easy to spot in large file listings and keeps the underlying file type visible (which helps responders quickly scope damage).

Approximate Start Date/Period:
– First upload to public sandbox and ID-Ransomware: 28 Aug 2023
– Steep spike in submissions through Sept–Oct 2023, concentrated in northern-latam (.mx, .co, .ar) hosting providers and U.S. SMBs.
– Still circulating in 2024 but volume has tapered; appears to be “mid-tier” crimeware rather than a headline-grab campaign.

Phishing e-mails with ISO, ZIP, or OneNote attachments containing the loader “SystemTable.exe” (signed w/ stolen cert).
External-facing RDP or AnyDesk that is brute-forced or bought from initial-access brokers.
Exploitation of QNAP NAS (CVE-2023-28755) to drop a Bash→Windows cross-stage payload.
Living-off-the-land once inside: WMIC, PowerShell, and “net use” to push the locker EXE to every reachable admin$ share.
No known SMB-EternalBlue usage to date; does NOT self-replicate like WannaCry.

Block ISO, IMG, and OneNote extensions at the mail gateway or mark them high-risk.
Enforce 2FA/VPN-only for RDP/AnyDesk.
Immediately patch QNAP firmware (QTS 5.x ≥ build 20230606).
Apply Microsoft MS17-010 even though encryptedjb doesn’t use it—prevents re-infection by stronger worms.
Keep offline, versioned backups; encryptedjb actively hunts VSS shadow copies and cloud-sync folders mapped with a drive letter.

Isolate machine from network (pull cable, disable Wi-Fi).
Boot into Safe-Mode-with-Networking or bootable AV rescue USB.
Scan with updated engine (Windows Defender ≥ 1.395.664.0, Malwarebytes 2024.1, Sophos AV ≥ 5.5).
– Malware installs copy to:
- %ProgramData%\IntelGraphics\SystemTable.exe
- C:\Users\Public\Libraries\svcHost.exe
Remove persistence:

Delete ransom note HOW_TO_BACK_FILES.txt from every folder (but save one copy for forensics).
Reboot normally, run a second full scan to confirm termination.

Recovery Feasibility:
– encryptedjb is NOT decryptable at this time. It employs Curve25519 + ChaCha20 with per-victim keys stored only on the threat-actor’s server.
– No known flaws, no leaked master key, and current brute-force is computationally infeasible.
Essential Tools:
– No official decryptor exists; ignore YouTube “.encryptedjb decryptors” – they are scam/fakes.
– File-recovery route 1: leverage reputable shadow-copy explorer (ShadowExplorer, Photorec) IF the locker failed to purge VSS (rare but possible).
– File-recovery route 2: restore from immutable/offline backups (S3 Object Lock, Azure Immutable Blob, tape, or air-gapped HDD).

Unique characteristics:
– Drops a secondary backdoor (“IntelGraphics/sysPlant.dll”) and leaves it behind even if ransom is paid—full rebuild is recommended.
– No data-exfiltration stage observed; appears to be “pure locker” for speed.
– Ransom note leaves two ProtonMail addresses and a TOX ID; initial demand ranges 1700–2400 USD in XMR but discounts of 30 % are offered within first 48 h.
– Victims who paid report that decryptor works but is single-threaded and slow (~3 GB/min on SSD). Still, payment encourages crime and gives no guarantee of clean data; law-enforcement advice is “do not pay.”
Broader Impact / Clustering:
Overlaps with “H0lyGh0st / HolyLocker” code snippets, indicating either code re-use or same author group operating several brands. Expect tactics to evolve—watch for re-branding under a different extension.

Stay vigilant, keep those backups offline, and patch early—encryptedjb relies on yesterday’s unpatched edge services and today’s click-happy users.