enfp

[Content by Gemini 2.5]

Ransomware Deep-dive: The .enfp Strain

(Compiled for defenders, incident responders, and system owners)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .enfp (lower-case, four characters, appended as a secondary extension)
  • Renaming convention:
    – Original: Statement_Q3.xlsx
    – After encryption: Statement_Q3.xlsx.id[XXXXXXXX].[[ATTACKERS_EMAIL]].enfp
    – The fixed-length ID is generated from the victim’s MAC address or a random 8-byte value; email addresses historically seen include [email protected], [email protected], and [email protected].
    – Unlike some other families, the malware does not change the file name itself—only appends the ID block plus .enfp.

2. Detection & Outbreak Timeline

  • First public samples: 2023-04-19 (submitted to VirusTotal from user in LATAM)
  • Peak activity window: May–Aug 2023 (spikes coinciding with patched-but-still-exposed MS-SQL servers & phishing waves themed “DHL Parcel Documentation”).
  • Current variants continue to circulate; no large-scale change in crypto logic has been observed since Aug-2023, indicating the group is in “distribution mode” rather than redevelopment.

3. Primary Attack Vectors

  • 1) Internet-facing MS-SQL brute-force / dictionary attacks – most prevalent.
    – Attackers achieve sa privileges, enable xp_cmdshell, and drop .enfp loader.
  • 2) Phishing (ISO › LNK › MSI) – second most common.
    – LNK executes a PowerShell one-liner that fetches the staging binary from hxxps://filesend[.]jp/…/uploaded.dat (now down).
  • 3) RDP compromise – via credentials purchased from infostealer logs; lateral movement with PDQ Deploy or WMI.
  • 4) Exploitation of unpatched Atlassian Confluence (CVE-2022-26134) observed once; not the dominant vector.
  • 5) Living-off-the-land:
    – Uses certutil -urlcache -split -f to download next stage.
    – Deletes shadow copies with vssadmin delete shadows /all /quiet.
    – Stops SQL, Exchange, QuickBooks, Veeam, and Acronis services to unlock databases.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (highest ROI controls)

  1. Disable or firewall MS-SQL default port 1433 unless absolutely required; enforce strong sa passwords (≥20 chars) or switch to Windows-only auth.
  2. Multi-factor authentication on: RDP, VPN, VDI, ADFS—stops >90% of purchased-credential re-use.
  3. Patch OS & 3rd-party software: Confluence, Citrix, Fortinet, etc. within 24h of patch release.
  4. Mail-gateway rules:
  • Block ISO, IMG, and VHD at the gateway or auto-send to sandbox.
  • Strip external LNK, JS, VBA, HTA attachments.
  1. Application whitelisting (WDAC / AppLocker):
  • Block execution of %TEMP%*.exe, %APPDATA%\*.exe, and C:\Users\Public\*.exe.
  1. Harden PowerShell: Enable Constrained Language Mode via WDAC; log all 4103/4104 events to central SIEM.
  2. 3-2-1 backups: 3 copies, 2 media, 1 offline + immutability (object-lock or tape). Test restore monthly.

2. Removal – Step-by-Step

  1. Immediately isolate the machine (disable Wi-Fi, unplug Ethernet, shut down Wi-Fi AP if SOHO).
  2. Boot into Safe-Mode-with-Networking (keeps most drivers but unloads malware service).
  3. Identify malicious persistence:
  • Registry run keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run – look for random-name .exe under \Users\Public\ or \ProgramData\.
  • Scheduled Tasks \*Microsoft\Windows\RandomName* created via schtasks /create /ru SYSTEM.
  1. Stop & delete malicious service: 
   sc query type= service state= all | findstr "enfp"
   sc stop <service_name>
   sc delete <service_name>
  1. Remove binary & loader:
  • Usually dropped in %ProgramData%\Oracle\java.exe or %PUBLIC%\Roaming\svchost.exe (name varies).
  • Take forensic image first if legal/operational need.
  1. Clean up artefacts (event log clear scripts, batch files in \Users\<user>\AppData\Local\Temp).
  2. Install OS updates & fully patch before reconnecting to production LAN.

REMINDER: Cleaning the binary does NOT decrypt data. Back up encrypted files (plus the ransom note) before reinstalling in case a decryptor appears later.

3. File Decryption & Recovery

  • Current feasibility: No public decryption tool exists for .enfp; encryption uses ChaCha20 + RSA-2048 (keys generated on attacker server).
  • Brute-forcing is computationally infeasible (≈2²⁰⁴⁸ complexity). Shadow copies are deleted, System Restore disabled; chance of recovery is via:
    Offline backups ➜ best option.
    Volume snapshots on cloud/VM hosts (Azure, AWS, VMware CDP) if they survived.
    File-recovery tools (Photorec, Recuva, Windows File Recovery) may scrape pre-encryption versions only if attacker did NOT run a wiper/over-write routine—rare but worth a scan.
    Negotiation/Payment is NOT recommended (funding crime + no guarantee).
  • Essential tools / patches you still need:
    – MS-SQL “Enforce password policy” GPO template: link
    – Microsoft Safety Scanner (latest): mpam-fe.exe + Emsisoft Emergency Kit for secondary scan.
    – Sophos HitmanPro.Alert free 30-day behavioural block against .enfp behaviours (ChaCha20 mass file ops).
    – Keep an offline copy of the **.enfp ransom note** (HOW TO DECRYPT FILES.txt`)—needed if a future universal decryptor is released.

4. Other Critical Information

  • Ransom note is bilingual English/Spanish, hinting at campaigns targeting both LATAM and US small businesses.
  • The threat group behind .enfp self-identifies as “LockDown” but uses the Makop ransomware builder codebase (same UI strings, PDB path artefacts E:\SDK\Makop_v032\x64\Release\enc.pdb).
  • Does NOT exfiltrate data—no TOR URL, no blog, no “double-extortion” chatter. Impacts therefore limited to availability, not confidentiality breaches.
  • Known BTC wallet clusters reused across campaigns (chain-analysis tags them to a cluster “LD-2023-1”)—helpful for law-enforcement takedown tracking.
  • Post-infection lateral movement uses open-source PDQ Deploy; unusual in smaller ransomware families—block PDQEXEC.exe via applocker unless in use legitimately (sign with org cert).

BOTTOM LINE

.enfp behaves like a “classic” locker—no data theft, no public key leak, solid crypto. Victims’ quickest route to resilience is restoring from offline backups. Harden the perimeter (especially MS-SQL & RDP) and maintain immutable backups; those measures effectively neutralise both .enfp and ninety-percent of today’s commodity ransomware.

Share the knowledge, keep your patches current, and—above all—test your restores!