enjey

[Content by Gemini 2.5]

ENJEY Ransomware – Community Defense Guide

(Variant that appends “.enjey” to every encrypted file)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every successfully encrypted file receives the SECONDARY extension .enjey (lower-case).
    Example: Quarterly-Report.xlsxQuarterly-Report.xlsx.enjey
    The original base name and primary extension are preserved; ENJEY simply tacks on its marker.
  • Renaming Convention: No randomised prefix/suffix is added, so victims can immediately spot the compromise by the presence of thousands of “double-extension” files. Inside each folder the ransomware also drops:
    !!!_README_!!!.txt (sometimes !!!DECRYPT-ENJEY!!!.txt) – the ransom note.
    – A second variant note called !!!_INSTR_!!!.txt may be written into the root of every logical drive.

2. Detection & Outbreak Timeline

  • First publicly confirmed submissions: 17 Mar 2023 (ID-Ransomware & VirusTotal uploads from Kazakhstan and Bulgaria).
  • Recorded spike / widespread activity: April-May 2023, with continuing low-volume but geographically scattered attacks through Q4-2023 and Q1-2024.
  • Tracking is complicated by the fact that ENJEY is a direct descendant of the Chaos 4.x builder, so every affiliate can “re-brand”; nevertheless, the consistent use of “.enjey” makes cluster detection possible.

3. Primary Attack Vectors

  • RDP brute-force / RDP-stolen credentials → manual deployment by affiliate.
  • Phishing e-mails carrying ISO, ZIP or IMG attachments that contain the Chaos/ENJEY binary disguised as a “quote.pdf.exe”.
  • Malvertising / fake software cracks (Adobe, KMS, game cheats) leading to drive-by downloads.
  • Exploits of public-facing services only when they are already present (Log4Shell, PaperCut, etc.) – i.e. ENJEY itself does not self-propagate, but affiliates that already own a network often drop it as a final “encryption layer” after using more sophisticated access tools.
  • No SMB “worm” component – unlike Ryuk or WannaCry, ENJEY does not scan for SMB shares once inside; it simply traverses mounted logical drives and network-shares it already sees.
  • Written in .NET; obfuscated with ConfuserEx → easy for defenders to unpack in a sandbox; hard for static AV to catch before execution.

Remediation & Recovery Strategies

1. Prevention (STOP THE INFECTION BEFORE IT STARTS)

✅ Disable RDP from the Internet, or at minimum enforce 2FA / gateway rate-limit / account-lockout.
✅ Patch OS & 3rd party apps ASAP – ENJEY is often dropped AFTER the affiliate exploited a n-day (Log4Shell, PaperCut).
✅ Remove default local “admin / 123456” combinations; enforce LAPS (Local Administrator Password Solution).
✅ E-mail filters: block ISO/IMG/DMG at the gateway, enable Windows “Mark-of-the-Web” warnings for downloaded executables.
✅ Application whitelisting / Windows Defender ASR rules (e.g. “Block Office apps from creating executable content”).
✅ Segment LANs and block workstation-to-workstation SMB (port 445) except to real file-servers.
✅ Comprehensive 3-2-1 backup strategy (3 copies, 2 media types, 1 off-line & off-site). Veeam, Commvault, Windows-Server-Backup → store with DIFFERENT credentials; remove Veeam GUI ports from domain-joined machines.

2. Removal (IF YOU ARE ALREADY INFECTED)

  1. Immediate
  • Disconnect the host from the network (pull cable / disable Wi-Fi).
  • DO NOT log-out or reboot until volatile evidence is captured (memory dump with Magnet RAM Capture or “winpmem” for future forensics).
  1. Containment
  • From a clean admin workstation open WMI / PowerShell and terminate:
    – Process name normally svchosts.exe (note “s”) or msapp.exe (both names hard-coded in Chaos builder).
  • Check the run-key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) value “Windows Update” pointing to the same .exe – delete after noting path.
  1. Full Eradication
  • Boot from a Windows PE / Kaspersky Rescue / Bitdefencer Rescue USB and run a full scan. Any Chaos/ENJEY sample is detected generically as:
    – Trojan-Ransom.Win32.Chaos, Ransom:Win32/Chaos.B, Ransom.Chaos, etc.
  • Remove the malware binary (usually in %AppData%\Microsoft\Windows\ReSys\winlogon.exe) plus its persistence registry entry.
  • Clear Volume-Shadow keys the ransomware deliberately blanks (HKLM\SYSTEM\CurrentControlSet\Services\VSS\DisableShadowCopies).
  1. Re-image vs Clean-up
  • Because ENJEY is delivered by a human operator who may have planted backdoors, recommended path is: nuke & pave – flatten machine / server and rebuild from known-good image.
  • Only then re-connect to network.

3. File Decryption & Recovery

  • Is free decryption possible?
    – Unfortunately NO for the vast majority of victims.
    – ENJEY is powered by Chaos-builder 4.x which, depending on affiliate settings, does one of three things:
    a) Encrypts the first 2 MB only – theoretically reversible, but a 64-byte random key is encrypted with RSA-1024 (private key held by attacker).
    b) Overwrites the entire file with random bytes (data-destroying, not encryption).
    c) Use an RSA + Salsa20 routine with keys cleaned from memory.
    – Chaos family has NO flaw; there is no offline decryptor. Any site offering “ENJEY-Decryptor.exe” for money is simply re-victimising you.

  • Restoration options

  1. Shadow Copies – ENJEY runs vssadmin delete shadows /all; however, on servers protected by “VSS Copy-only” backups or SAN snapshots you may still have recovery points.
  2. Windows-Backup or 3rd-party backups stored on a non-mounted partition/disk.
  3. Cloud recycle bin (OneDrive, Google Drive, Box) – many small orgs discover weeks-old copies online.
  4. System Restore – Chaos does NOT encrypt .dll/.exe inside \Windows\ volume; so you can restore the OS without losing data, but user documents are still lost.
  5. File-carving – if you face scenario (b) above (overwrite) even forensics labs cannot help; if scenario (a) (partial encryption) photo & text files ≥ 2 MB may contain salvageable chunks – use PhotoRec or “unENJEY-ing” scripts to strip the first 2 MB and recover partial video frames. Expect corruption, but for life-or-death evidence this sometimes helps.
  • Essential Tools / Patches
    – Official Chaos/ChaosDecryptor does NOT exist; only “ChaosDecryptor by Tas-IX” circulating on Telegram is fake.
    – Update Windows Defender engine ≥ 1.387.1970.0 (adds enjey sig).
    – Preferably deploy Microsoft’s “Security Baseline” with LSA-protection &Credential-Guard to frustrate credential dumping that precedes ENJEY.
    – A patch list hit by affiliates before dropping the payload:
    • Log4j CVE-2021-44228
    • PaperCut MF/NG CVE-2023-27350
    • Fortinet CVE-2022-40684
    • Microsoft Exchange ProxyShell (CVE-2021-34523 + 34473 + 31207)
    • (nothing ENJEY-specific – just the juicy doorways)

4. Other Critical Information

  • Family Relation / Unique Traits
    – ENJEY is NOT a standalone codebase; it is point-and-shoot output of the “Chaos 4.x Ransomware Builder” sold on dark-web for ~$1,000. That builder markets itself as “friendlier than LockBit” for novice affiliates, leading to a scatter-gun pattern of hits rather than targeted Big-Game Hunting.
    – Chaotically chosen encryption modes ⇒ some victims lose only a 2 MB header (and get ransom note), others get full file overwrite. Check a couple of files in a hex-editor; if you see plaintext past byte 2,097,152 you are in scenario (a) and recovery chances of big video archives are better.
    – Does not exfiltrate data; therefore only “integrity-loss extortion”, not double-extortion.
    – Hard-coded exclusion list looks like a copy-paste from an older Phobos config:
    bootmgr, boot.ini, ntuser.dat, pagefile.sys, swapfile.sys, desktop.ini, autorun.inf, !README!, *.enjey, *.chaos, *.key
    – Drops “proof-of-decrypt” by encrypting one file on the desktop and writing <filename>.enjey.unlocked, but note: the same RSA keypair is used site-wide; if you pay once you still cannot decrypt other machines free of charge because the per-file symmetric keys differ.
    – Observed average ransom ask: 0.15–0.3 BTC for small companies, ~1.5 BTC for servers with > 100 employees. Negotiation e-mail addresses rotate; current ones visible in the note: [email protected] & @onionmail.org over Tor (hxxp://enjey7wauxkckjargxmbzudjzduevkbopvm2x5lq6ys635qlbz2jcbid.onion).

  • Broader Impact
    – Because builder-as-a-service lowers the entry barrier, ENJEY has become the “entry level” ransomware for cyber-criminals who cannot obtain LockBit or Hive affiliations. Expect more branding forks (observed: .chaos, .xbet, .axxy, .monti, .babyduck). Same builder, different sticker – same decryption impossibility.
    – 60–70 % of ENJEY incidents in 2023 hit MSPs in Eastern Europe who exposed RDP with “Admin/2020” passwords; the lesson is that commodity ransomware continues to devastate where fundamentals are ignored.
    – Law-enforcement takedown probability is low: the author only sells the builder, never handles victim data; affiliate infrastructure hops every week.

Stay safe: patch, segment, back-up, and refuse to pay whenever you have an alternative.
If further ENJEY samples or notes emerge, submit them to:

  • ID-Ransomware (https://id-ransomware.malwarehunterteam.com)
  • VirusTotal with the tag “enjey”
  • CISA, FBI IC3 or your national CERT for trending analysis.