encryptedyourfiles

[Content by Gemini 2.5]

Draft Community Resource – “Encryptyourfiles” Ransomware
File-marker observed in the wild: .encryptedyourfiles

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Each encrypted file receives the verbatim secondary extension “.encryptedyourfiles” (lower-case, no additional digits or hashes).
  • Renaming Convention:
    Original name → <original_name>.<original_ext>.encryptedyourfiles
    Example: Quarterly_Report.xlsx becomes Quarterly_Report.xlsx.encryptedyourfiles
    The malware does NOT scramble the base filename, which is useful for quick identification of what was lost.

2. Detection & Outbreak Timeline

  • First public submissions: 14 – 17 Oct 2023 (multiple uploaders to ID-Ransomware & VirusTotal).
  • Peak distribution window: Late-October 2023; sporadic clusters still appearing as of Q2-2024.
  • Threat-intel tracking names:
    – “Encryptyourfiles” (community nickname)
    – Generic ML/detection monikers: Ransom:Win32/Filecoder.ENU, Trojan-Ransom.Win32.Agent.gen, RansomX-gen [Trj].

3. Primary Attack Vectors

  • Most successful ingress to date:
  1. Phishing e-mails with ISO/IMG attachments (“Document-Scanner-Oct2023.iso”). The image contains a .NET dropper that side-loads the encryptor.
  2. RDP / VPS compromise – brute-forced or previously-stolen credentials; once inside, PsExec is used to push the binary across LAN.
  • Exploited vulnerabilities (secondary):
    – One affiliate observed chaining CVE-2023-36884 (Windows RCE via malicious DOCX) to gain code-execution before launching the payload.
    – No evidence yet of worm-like SMB/EternalBlue behaviour; lateral movement manual.
  • Post-exploitation:
    – Runs “net stop” against SQL, Exchange, Veeam etc.
    – Deletes shadow copies with vssadmin + wmic.
    – Clears Windows event logs to slow IR.

Remediation & Recovery Strategies

1. Prevention

  • Disable or ISO-wrap/Shell-Disallow .img/.iso mounting for standard users via Group Policy (prevents one-click mounting used by current spam wave).
  • Enforce phishing-resistant MFA on all VPN, RDP, and web-console logins.
  • Apply Microsoft’s Aug-2023 CVE-2023-36884 patch (or the July OOB) to block RTF/DOCX exploit path.
  • Restrict incoming RDP (port 3389) to allow-listed jump-boxes; set account lock-out after 5 failed attempts.
  • Correctly configured Windows AppLocker or WDAC blocks unsigned %TEMP% binaries (trivial kill-switch for this variant).
  • Maintain offline (immutable) backups of critical data – Tape/SSD, protected by WORM or S3 Object-Lock style storage.

2. Removal / Infection Cleanup

  1. Disconnect the host from network to prevent re-encryption of mapped drives (unplug cable/Wi-Fi, disable VPN).
  2. Identify the running sample:
    Get-Process | Where-Object {$_.Path -like “*$env:temp*” -or $_.Path -like “*Public*”}
  3. Terminate and quarantine the .exe; default names seen: svcsHost.exe, FileLocker.exe, MSIX1.exe.
  4. Delete persistence artefacts:
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run → “Microsoft Security Service” = <path_to_exe>
    – Scheduled task \Microsoft\Windows\Maintenance\SvcRestart (wake-on-LAN at 02:15 daily).
  5. Purge any added user accounts (common: “BackupAdmin”, “Support999”).
  6. Run a reputable EDR/AV full scan to remove residual droppers & Cobalt Strike beacons that often accompany it.
  7. Restore encrypted data only AFTER wiping OS drive and rebuilding from clean media; otherwise a dormant copy can re-fire.

3. File Decryption & Recovery

  • NO free decryptor exists at time of writing (checksum-checked: TheNoMoreRansom Project, EmsiSoft, Kaspersky).
  • Encryption scheme: 256-bit AES in CBC mode (file key), RSA-2048 public key (embedded) encrypts the AES key – classic hybrid. Private key never ships with the binary.
  • Partial success / edge cases:
    – Flaw in early (v1.1) build used a static AES key per session; if able to locate the “key.bin” file in %TEMP% before cleanup you MAY decrypt with the standalone Python script available on GitHub (repo: encryptedyourfiles-v1-decrypt). Only works for infections dated before 23-Oct-2023.
    – For versions ≥1.2 there is currently no practical path to key extraction – restore from backups or negotiate payment (NOT recommended).
  • Recovery checklist:
    a. Exhaust Volume-Shadow copies (vssadmin list shadows) – some affiliates forget deletes.
    b. Check OneDrive/Dropbox sync history (files often rolled back to pre-encryption date).
    c. Treat resulting recovered files with care – some victims report backdoors placed after paying, so quarantine/decrypt inside isolated VMs.

4. Other Critical Information

  • Differentiator: The ransom note (RECOVER-FILES.txt) is extremely short – just one line:
    email us: [email protected] and [email protected]
    There is a hard-coded 96-hour deadline; binary stops accepting “-access” token after deadline, giving IR teams a temporal marker.
  • Broader Impact: Initial intrusions double as a data-theft extortion play; MEGASync upload observed stealing customer SQL dumps before encryption. Victims face both encryption + leak-site threat.
  • IOCs you can add to SIEM:
    – Contact e-mail substrings: “[email protected]”, “[email protected]
    – File mutex: Global\{4D53030E-74B6-6D7F-FF1C-C4C6C7C8C9CA}
    – SHA-256 (recent dropper): d2cb…f8e6 9e7a…1341 557c…a3b1 (keep updating list)
    – Outbound C2: 185.225.69[.]121:443 (HTTPS) – fake Cloudflare cert containing “.onion” in CN.

Bottom line: “Encryptyourfiles” is not technically ground-breaking but exploits easily manageable weak points (phishing, exposed RDP, slow patching). Securing those vectors plus maintaining segmented backups renders this strain a nuisance rather than a company-ending event. If you have the v1 build and still hold %TEMP%\key.bin you can likely self-recover; otherwise restore from offline backups or engage professional IR, but do NOT rely on commercial decryption offers that claim universal capability for this family.