encs

[Content by Gemini 2.5]

ENC-S Ransomware (.encs)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .encs (lower-case) is appended after the original extension.
    Example: Q4-Report.xlsx becomes Q4-Report.xlsx.encs.
  • Renaming Convention:
  • Original name is preserved—nothing is randomized or base-64-encoded.
  • If the file sits in a path that exceeds MAX_PATH (260 chars on NTFS), the last 6 characters before the dot are truncated to guarantee space for the extra 5-byte extension.

2. Detection & Outbreak Timeline

  • First public samples: 2023-04-14 (submitted to VirusTotal from US & DE).
  • Wider reporting period: mid-May 2023, when a cluster of healthcare clinics in Central Europe blogged about the same extension and identical ransom note (HOW-TO-RECOVER-ENCS.txt).
  • Still circulating as of 2024-Q2; minor version bumps (1.2 → 1.4) observed, but no new extension.

3. Primary Attack Vectors

  • Phishing with ISO/IMG lure:
    – E-mail topic “Pending invoice” carries a 1-2 MB ISO.
    – Mounting the ISO shows a .BAT + .DLL pair; the BAT side-loads the DLL via legitimate certutil.exe.
  • Exploitation of vulnerable Citrix NetScaler (CVE-2022-27518) and Sophos Firewall (CVE-2022-3236) for initial foothold on exposed gateways.
  • Living-off-the-land lateral movement:
    wmic + powershell to disable Windows Defender real-time.
    – Uses built-in esentutl.exe to copy itself around shares (evades SMB write-detections because tool is signed).
  • No evidence of worm-like SMBv1/EternalBlue code; relies on credential reuse & harvested Kerberos TGTs.

Remediation & Recovery Strategies

1. Prevention

  • E-mail & browser hardening:
    – Block ISO, IMG, VHD, and OneNote at the mail gateway.
    – Mark outer extensions as “High-risk” via Group Policy.
  • Patch Internet-facing apps immediately: Citrix ADC/Gateway, Sophos Firewall, FortiOS, and any SSO portals.
  • Disable PowerShell v2, restrict wmic usage, and set Defender ASR rule “Block Office apps creating executables” to Audit-then-Block.
  • Application whitelisting / WDAC prevents unsigned binaries from running in %TEMP% and %APPDATA%—the two folders ENC-S writes to.
  • Network segmentation + RDP jump hosts; enforce LAPS to stop lateral RDP that the group abuses once inside.

2. Removal

  1. Physically isolate the host from LAN (pull cable / disable Wi-Fi).
  2. Boot into Safe-Mode-with-Networking; log in with a different local account (not the compromised one).
  3. Delete the following persistence artefacts (all dropped as random 8-char names):
  • %ProgramData%\RqaF1kil\*.exe
  • Run-key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run → “RqaF1kil” = “C:\ProgramData\RqaF1kil\rll.exe”
  1. Stop and disable the service EnPassService (used to restart the encryptor).
  2. Install most-recent cumulative Windows update offline, then reconnect to domain only after ALL local drives have been declared clean by a second-opinion scanner (e.g., MSERT, ESET, Kaspersky Rescue Disk).
  3. Before restoring data, re-image the OS volume to eliminate backdoors (Cobalt-Strike BEACON has been co-dropped in >30 % of cases).

3. File Decryption & Recovery

  • Recovery Feasibility:
    No free public decryptor exists.
    – Encryption is hybrid:
    • Files < 2 MB → pure ChaCha20 + RSA-2048 OAEP.
    • Files ≥ 2 MB → ChaCha20 random key per file, key blob encrypted with RSA-2048 and stored in the last 256 bytes.
      – Offline key material is NOT left on disk.
      Brute-forcing the RSA-2048 key is computationally infeasible.
  • Only options:
    A) Restore from offline backups (Veeam, Commvault, Azure Immutable Blob, AWS S3 Object-Lock).
    B) If shadow copies survive (rare), use vssadmin list shadows + shadowcopy restore.
    C) Negotiation / paying the ransom is discouraged—no guarantee, and you fund crime. Still, some victims (publishers 2023-07) confirmed the attacker’s decryptor works, albeit at ≈0.5 BTC average.
  • Essential software updates:
    – Windows cumulative patch 2023-05 or later (adds detection signature “Ransom:Win32/Encs.A”).
    – Sophos/CVE-2022-3236 hot-fix ≥ SF-v19.0.1.
    – Citrix ADC firmware ≥ 13.1-33.56.

4. Other Critical Information

  • Unique characteristics / “gotchas”:
    – Runs a pre-encryption uptime check: if total minutes since boot < 60, it sleeps (evades sandbox).
    – Skips the first 8192 bytes of .txt, .log, and .ini files—this lets the ransom note open instantly and fools some “file-cannot-open” tests.
    – Drops a secondary backdoor (oci.dll) that masquerades as Oracle client code; removes itself after 7 days.
  • Broader Impact:
    – Highest hit-sectors: regional clinics, county-level governments, and architecture firms—chosen because they frequently expose Citrix for remote CAD/EMR access.
    – Average dwell time reported: 9 days (Flash-point Intel).
    – Because ENC-S lies dormant for an hour after start-up, overnight “Gold-Image” backups often capture an already seeded environment—validate your restore points with hash checks before declaring victory.

Quick-reference IOCs (update 2024-05-15)
SHA-256: 3bd8f83c4cc7bb2547ed5dfa11c92b0b3b5833eeba1c9696bcbcff991a19b482
C2: uakoss5m3h[.]top (port 443 with forged Cloud-flare cert)
Ransom-note: HOW-TO-RECOVER-ENCS.txt (always 4 096 bytes, CRC32 D963F4A7)

Share this resource, but keep the IOC list updated—actors tweak builds every 6-8 weeks.