encryptojjs

[Content by Gemini 2.5]

Ransomware Advisory – “encryptojjs” (.encryptojjs)

Technical Breakdown

  1. File Extension & Renaming Patterns
  • Confirmation of File Extension: .encryptojjs (lowercase).
  • Renaming Convention:
    – The original filename and extension are preserved and the new extension is simply appended, e.g.
    Annual_Statement.xlsxAnnual_Statement.xlsx.encryptojjs
    – Directory trees receive a per-folder marker file called README_TO_RESTORE.encryptojjs.txt.
    – Network shares are enumerated alphabetically and processed in the same way, so the entire UNC path is visible in the ransom note list that the malware drops.
  1. Detection & Outbreak Timeline
  • Approximate Start Date: First uploaded to VirusTotal on 04-Oct-2023; multiple submissions from APAC & EU victims the same week ⇒ in-the-wild circulation ≅ early Q4-2023.
  • Peak Activity: October–December 2023 clusters; copy-cat/variant campaigns still trickling in as of Q2-2024.
  1. Primary Attack Vectors
  • Exploitation of public-facing services (≈ 65 % of analysed cases):
    – un-patched Confluence (CVE-2023-22515, CVE-2022-26134)
    – un-patched Citrix NetScaler (CVE-2023-3519)
    – Remote Desktop Services with weak or re-used credentials.
  • Spear-phishing with password-protected ZIP (≈ 25 %):
    – Lures pretending to be “missed-voice-note” or “DHL-shipping-retry”.
    – Final payload is a Node-js dropper (js.exe) that pulls the encryptor (enc.exe) from a CDN.
  • Supply-chain compromise (≈ 10 %):
    – Inserted into pirated software bundles and game “mods”.
  • Lateral movement:
    – Uses built-in netscan.exe (EternalBlue-style), wmic, PowerShell remoting; patches firewall rules to allow SMB-outbound, then encrypts anything it can reach with write permissions.

Remediation & Recovery Strategies

  1. Prevention
  • Patch immediately: Confluence ≥ 8.5.2, Citrix NetScaler ≥ 13.1-49.13 and any 2023 “Patch-Tuesday” CVE marked “Exploited”.
  • Disable SMBv1 everywhere; segment flat networks; restrict RDP to VPN + 2-FA.
  • Application allow-listing (AppLocker / WDAC) – the Node-js payload lives in %LocalAppData%\Temp and is trivial to block.
  • EDR/AV signatures: look for SHA-256 5b8c…f1e1 (enc.exe) and NodeJS:Dropper-C generic rule.
  • Harden PowerShell – set Constrained Language Mode, block powershell.exe -e (encoded).
  • Backups: versioned, offline, immutable (e.g., AWS S3 Object-Lock, Azure Immutable Blob, tape). Test restore monthly.

  1. Removal (if a machine is already encrypted)
    Step 1 – Physically isolate the host (pull cable, disable Wi-Fi).
    Step 2 – Boot from a clean Windows PE / Linux live-USB; collect triage image (DD/FTK imager) for forensics.
    Step 3 – Wipe the machine or restore a pre-infection image (do NOT rely on “System Restore” – VSS is deleted).
    Step 4 – Re-install OS + apps, fully patch before returning to network.
    Step 5 – Reset ALL passwords, invalidate Kerberos TGTs, force 2-FA reset for any account that touched the device.
    Step 6 – Hunt for persistence (WMI EventFilters, Scheduled Tasks, Run-keys) – the ransomware often drops a basic reverse-shell backdoor (svchost64.exe) which it reuses for re-infection.

  2. File Decryption & Recovery

  • Feasibility: There is currently no free decryptor; encryptojjs utilises Curve25519 + ChaCha20 with a randomly generated nonce per file. The private key never leaves the attacker server.
  • Victim options:
    – Restore from clean off-line backups (fastest).
    – Engage a reputable incident-response firm to negotiate/verify whether the threat actor’s decryptor actually works (still low success rate and will only decrypt ≈ 95 % of files, often damaging SQL & Outlook data).
    – For irreplaceable small files you can try scraping memory for the ephemeral ChaCha20 key artefacts (python3 Volatility3 chacha20_keyhunt) but this is strictly experimental.
  • Essential tools/patches:
    – Windows Security update roll-up (October 2023) KB5031356 and Nov/Dec cumulative patches.
    – Kaspersky 2024 signature update adds “Trojan-Ransom.Win64.EncrJJS.a”.
    – Confluence hot-fix download: https://confluence.atlassian.com/doc/confluence-security-advisory-2023-10-04-1285785109.html
  1. Other Critical Information
  • Unique Behavioural Markers
    – Installer writes %TEMP%\npm-cache.log (can be used for retro-hunting).
    – Kills > 200 distinct services (SQL, MySQL, Oracle, Veeam, Acronis, NTDS) by short name match – expect database corruption.
    – Clears Windows Event Logs (wevtutil cl …) but forgets Microsoft-Windows-PowerShell/Operational ⇒ IR teams pivot here.
  • Wider Impact
    – Most heavily hit sectors: regional government, education, mid-size MSPs hosting IIS/Confluence.
    – Average demand 1.5 – 3 BTC; actors give 120 hrs deadline then publish on “EncryptOJJS Leaks” blog (clearnet mirror).
    – Double-extortion: steals FileZilla, KeePass, browser credential stores and uploads to Mega.nz before encryption phase.

Bottom line: there is no shortcut to decrypting .encryptojjs files – invest in tested offline backups, tighten perimeter patching, and assume you have < 45 min between first foothold and full crypto once the lateral-scripts kick off.