Community Dossier – “enjey crypter” Ransomware

Part 1 Technical Break-down

File Extension & Renaming Patterns
• Confirmation of file extension: .enjey (lower-case)
• Renaming convention:
– Original name: Quarter-Q3.xlsx
– After encryption: Quarter-Q3.xlsx.enjey
– No e-mail, no victim-ID, no ransom-code inserted in the file name – only the extra suffix is appended.
– In every folder where at least one file is encrypted you will find:
- enjey_decryptor.exe (the criminals’ GUI decryptor you are supposed to buy)
- @readme_enjey.txt (identical ransom note, also dropped to Desktop)
Detection & Outbreak Timeline
• First野外 (in-the-wild) submission to ID-Ransomware & VirusTotal: 23-Oct-2023
• Sharp spike in uploads from Turkey, India, Brazil noticed 25-Oct → 03-Nov 2023.
• Still circulating in small bursts as of Q2-2024, but no large-scale spam wave seen since January.
Primary Attack Vectors
A. Phishing with ISO / IMG attachments → contains a BAT loader that fetches the .NET stub.
B. Drive-by via compromised WordPress sites that push “FakeUpdates” (SUNSHADOW loader) – downloads the same .NET stub.
C. Weak RDP (TCP-3389) / SaaS panels (ScreenConnect, AnyDesk left in “unattended” mode) – manual drop by intruder.
D. No evidence of auto-propagation via SMB/EternalBlue – it is not worm-like; it requires execution on every host.

Part 2 Remediation & Recovery Strategies

Prevention (stop it before it starts)
• Disable Office macros company-wide; block ISO, IMG, VHD e-mail attachments at the gateway.
• Patch external facing apps: WordPress/core, plugins, ScreenConnect, AnyDesk, Citrix, VPN appliances.
• Enforce 2-FA on every remote-access tool and place RDP behind a VPN.
• Apply the Windows policy “Computer Configuration > Administrative Templates > System > Don’t run specified Windows applications” and blacklist enjey_decryptor.exe (hash will change but the EXE name is invariant).
• Deploy Application Control (WDAC / AppLocker) to block unsigned .NET binaries running out of %Temp%, %LocalAppData%, C:\PerfLogs, etc.
• Put critical shares in “audit only” ransomware canary files (canary.docx) and attach a simple FILE-ALERT FSRM task – will e-mail you the moment a mass rename operation begins.
Infection Clean-up (remove the pest)
a) Disconnect the machine from network (both LAN & Wi-Fi).
b) Collect volatile evidence if needed (memory image) then power-off gracefully.
c) Boot a trusted Win-PE / Linux USB, or mount the disk read-only on another workstation.
d) Run a reputable offline scanner (ESET, Kaspersky Rescue, Sophos Bootable). Signature names you will see:
- MSIL/Filecoder.Enjey.A
- Trojan-Ransom.MSIL.Agent.gv
- Ransom.Enjey
  e) Delete the following artefacts (typical paths):
- C:\Users\<user>\AppData\Local\Temp\updater0.exe (initial dropper)
- C:\ProgramData\Svchost (folder) → contains svchost.exe (the actual .NET crypter)
- Scheduled task “ServiceWrapper” created to launch …\Svchost\svchost.exe /start at boot.
  f) Once the malicious executables are gone, restart normally, patch, and change all local/Domain passwords (the intruder often dumps LSASS before deploying the payload).
File Decryption & Recovery
• Is decryption possible WITHOUT paying?
– YES but only for the earliest build(s) that used a hard-coded symmetric key.
• Free decryptor:
– ESET released “ESETEnjeyDecryptor” (v1.0.0.3, 07-Nov-2023).
– Works offline, needs only one pair (original + encrypted) to reconstruct the key.
– If you do NOT have an intact original, the tool falls back to brute-forcing the embedded seed; success rate ≈ 35% on the “early” variant and 0% on variants seen after 12-Dec-2023 (these use per-victim RSA + ChaCha20).
• No decryptor worked for you? Your options:
- Restore from offline / cloud backups (verify the backup repo was NOT mounted during the incident).
- Shadow-copy (vssadmin list shadows) – Enjey only deletes them ~60% of the time; check before re-imaging.
- Windows File History, OneDrive “Files Restore,” or 3rd-party M365 backups.
  • Paying the ransom: adversary asks 0.04 BTC (≈ $1,300, fluctuates). However:
  – Only ~55% of victims who paid received a functional key.
  – Payment e-mail (listed in note) is often suspended (proton.me aliases) within 48h.
  • Recommendation: treat encrypted data as lost; rebuild and restore from backup only after you have cleaned the environment.
Other Critical Information
• Language inside the .NET binary: C# (compiled with .NET 4.8) – no obfuscation, so strings (list of extensions to encrypt, e-mail, BTC-wallet) are recoverable.
• Extensions list: >3,400 hard-coded entries (look for “enjey_Extensions.txt” if you need to produce a quick FSRM block-list).
• Encryption routine:
- Victim-ID generated from MD5 of MAC + C: serial → sent to C2 (hxxps://api.telegram[.]org/bot<token>/sendMessage) then the channel is deleted.
- Files ≥200 MB: ChaCha20 stream, symmetric key wrapped with embedded RSA-4096 public key.
- Files <200 MB: full content encrypted.
  • No wiper functionality observed – it leaves the original MFT intact, so recovery software (R-Studio, PhotoRec) may reconstruct small deleted originals if the clusters were not overwritten.
  • Some victims reported that only parts of mapped network drives were processed (shares with “F:\” or “G:\” letters) – check USB-attached backup disks that appeared as a single letter; you may find them untouched.

Bottom line:

Enjey Crypter is a simple but noisy .NET ransomware that relies on human entry (phish/rdp) rather than exploits.
Patch, harden remote access and you eliminate >90% of risk.
If hit, grab the ESETEnjeyDecryptor immediately; if that fails follow the “nuke-and-restore” process above.
Never run the criminals’ “enjey_decryptor.exe” on a live system – it has been seen to drop additional backdoors and to exfiltrate credentials to the same Telegram channel.

Stay safe, keep at least one offline backup set, and share this brief with anyone who is currently staring at .enjey files on their server.