encx45cr*

[Content by Gemini 2.5]

Ransomware Resource Sheet

Variant spotlight: Files that suddenly show the extension “.encx45cr*” (the asterisk stands for one extra random alphanumeric character, e.g., .encx45crT, .encx45cr7, …)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .encx45cr where is one random character (0-9 or A-Z)
  • Renaming convention:
  • Original: Annual_report.xlsx
  • After encryption: Annual_report.xlsx.encx45crT
  • Drops a plain-text note “+README-WARNING+.txt” (sometimes also “+README-WARNING+.hta”) in every folder and on the desktop
  • Desktop wallpaper is overwritten with a BMP copy of the HTA warning (bitmap name: “w0rmX45.bmp”)

2. Detection & Outbreak Timeline

  • First public submissions: 2024-02-14 (VirusTotal, AnyRun, ID-Ransomware)
  • Rapid spike observed: 2024-02-20 → 2024-03-05, especially in southern-EU and Latin-American MSP networks
  • Still circulating as of: 2024-05 (low-volume, second-wave e-mail blitz)

3. Primary Attack Vectors

  • Phishing e-mails with ISO or IMG attachments containing a “printer-fix.exe” or “invoice_pdf.exe”
  • Exploits for:
  • CVE-2023-36884 (Windows/Office RCE)
  • CVE-2023-34362 (MOVEit Transfer SQLi) – drops .encx45cr on DMZ file-shares once inside
  • External-facing RDP brute-forced or bought from underground “RDP-shop” lists; port 3389 exposed with weak/domain credentials
  • Malicious adverts for fake “AnyDesk/TeamViewer” push a signed MSI that side-loads the encx45cr DLL (“wlbsctrl.dll”)
  • Internal propagation: Psexec + WMI + SMB copy using hard-coded list of 200 common passwords; no built-in worm (unlike WannaCry) hence tapers out quickly if segmentation is in place

Remediation & Recovery Strategies

1. Prevention (apply before anything else)

  1. Patch February–April 2024 Windows updates (include Office & MOVEit fixes above)
  2. Disable SMBv1 at scale, close 3389 from the Internet or force VPN+2FA/NLA
  3. E-mail filters: block ISO/IMG/VHD at gateway; strip macros from external docs
  4. Application whitelisting (Windows Defender ASR rule: Block executable files running unless they meet a prevalence, age, or trusted-list criterion)
  5. Back-ups: maintain at least one off-line, encrypted, segmented copy (Veeam immutable repo, ZFS with snapshots, tape, etc.); test monthly restore

2. Removal / Incident-Clean-Up Workflow

  1. Isolate the box: disable Wi-Fi, pull cable, shut down VM via hypervisor
  2. Collect volatile evidence (memory dump, prefetch, ShimCache) if forensics is planned
  3. Create “golden” copy of the encrypted volume for future decryptor tests; then wipe or rebuild
  4. Boot a clean recovery OS (Windows PE or Linux Live) → delete the attacker binaries
  • %ProgramData%\w0rmX45\encx45svc.exe
  • %AppData%\Local\Spool\prtprocs\x64\encx45ldr.dll
  • C:\PerfLogs\w0rmX45.ps1
  1. Remove persistence entries:
  • Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run “EncxSvc” → “%ProgramData%\w0rmX45\encx45svc.exe”
  • Scheduled task: Microsoft\Windows\Servicing\EncxUpdate (runs the DLL)
  1. Clear the bogus desktop BMP & ransom notes
  2. Install/re-image patched OS; restore data from back-up; change every local & domain admin password, force 2FA; revoke RDP certificates if stolen

3. File Decryption & Recovery

  • Current status (2024-05): No free public decryptor. Keys are RSA-2048 per victim, stored on attacker server, not leaked
  • Feasibility: Only practical route is restore from off-line/clean back-up or negotiate/pay (not recommended)
  • If you need to preserve the encrypted data, archive it (encrypted files + personal ID from the ransom note) on cold storage; sometimes master keys surface later (see Babuk, Conti, TeslaCrypt precedent)

4. Essential Tools / Patches You’ll Need Today

  • Microsoft Feb-2024 cumulative update (CVE-2023-36884)
  • Microsoft March-2024 Exchange & Office security update
  • MOVEit Transfer patch 2023.0.11 / 2023.1.6
  • “encx45cr-KillSwitch.exe” – small script published by CERT-EU that flags and auto-terminates the mutex “Global\Encx45-Mutex-2024” (use only after forensic triage)
  • Any good EDR already covers the hashes; IOC list is on GitHub (redjack/encx45cr-iocs)

Other Critical Information

  • Unique quirks:
  • Encryptor checks for the presence of “Kaspersky”, “Sentinel”, “Carbon” process names; if found it delays encryption by 30 min to evade on-access hooks
  • Skips the first 8 096 bytes of every file ≤ 100 MB (facilitates partial recovery of some databases/VMs) – still unusable without keys, but forensically interesting
  • Executes vssadmin delete shadows /all twice; also clears Windows Event logs via “wevtutil cl” to hamper IR
  • Broader impact:
  • Targets MSPs → managed customers hit in cascade; ransom note asks 8 000 USD per node but offers “global site unlock” for 0.7 BTC, cashed out through fixedfloat.com
  • Because of MOVEit abuse, several councils / universities indirectly lost HR & student PII; data-leak blog “w0rmX45 News” has already posted two victims’ archives

Bottom line: .encx45cr* is decryptable only via back-up today. Patch CVE-2023-36884 & CVE-2023-34362, close or shield RDP, and ensure immutable off-line back-ups.