enybenied

[Content by Gemini 2.5]

Ransomware Resource Sheet – “Enybenied” Variant

(File-Extension: .enybenied)
Last-updated: 2024-05-XX

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed extension: .enybenied (lower-case; dot kept, no second extension appended).
  • Renaming convention:
    original_name.ext.ffffc49f-f55a-49b6-8b53-8650c76e3e6e.enybenied
  • A new GUID is injected in the middle; original extension is preserved before the GUID.
  • Example: Quarterly-Results.xlsx.ffffc49f-f55a-49b6-8b53-8650c76e3e6e.enybenied

2. Detection & Outbreak Timeline

  • First submissions to ID-Ransomware/VirusTotal: late February 2024.
  • Sharp spike in March–April 2024; most prevalent in Western-Europe & North-America.
  • Currently a “mid-tier” player – not in the daily Top-10 but still circulating.

3. Primary Attack Vectors

  • Phishing with ISO/IMG or password-protected ZIP: “DHL invoice”, “Microsoft voicemail”, “IRS refund”.
  • Smishing (SMS) directing victims to fake SharePoint/OneDrive pages delivering the initial JScript.
  • Exploitation of un-patched public-facing servers:
    – RCE in PaperCut NG/MF (CVE-2023-27350)
    – Arbitrary file-upload in WS_FTP (CVE-2023-40044)
    – MOVEit SQLi (CVE-2023-34362) – used to stage .enybenied on compromised file-transfer hosts.
  • RDP brute-forcing / “RDP-shop” accounts followed by manual deployment of dropper.
  • Living-off-the-land: uses wmic.exe to delete shadow copies; also abuses esentutl.exe to avoid touching LSASS (keeps EDR quiet).

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Patch aggressively: March 2024 Windows Updates, PaperCut ≥ 22.1.3, WS_FTP ≥ 8.8.3, MOVEit ≥ 2023.0.4.
  • Disable SMB-v1 & block TCP/139,445 outbound unless essential.
  • MFA on any public-facing admin portal (VPN, RDP, Citrix, IISManager).
  • Mail-gateway rules: strip ISO/IMG by default; flag external “Share” links.
  • Application whitelisting / WDAC so “unsigned JScript / .exe in %TEMP%” is blocked.
  • Secure data-backups: 3-2-1 rule + immutable object-lock (local NAS with snapshots, cloud bucket with retention lock, offline LTO).

2. Removal (assumes Windows estate)

  1. Power-off & isolate infected nodes; snapshot the VM or pull HDD for forensics if available.
  2. Boot a clean Windows PE / Linux live disk → run a current AV-rescue disk (Kaspersky, ESET, MS Defender offline).
    Component names:
    enybenied.exe, enyben_crypter.dll, csrss64.exe (masquerade), guidgen_svc.exe, clr_optimization.exe
    – Registry RUN-key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GuidGenerator
    – Scheduled task: \Microsoft\Windows\Defender\GDataOptimizer (delete XML after execution)
  3. Remove ransomware entries, tasks, services; clear HKEY_LOCAL_MACHINE\SOFTWARE\enyb.
  4. Install OS patches offline; restore normal boot; re-enable network only after full AV/EDR pass returns 0 threats.
  5. Reset all domain credentials (KRBTGT twice) and revoke any “high-priv” tokens active during incident window.

3. File Decryption & Recovery

  • No flaw found: Algorithm = RSA-2048 + ChaCha20-Poly1305; key blob encrypted per-victim and exfiltrated to attacker C2.
  • No free decryptor exists yet (Emsisoft, Avast, Kaspersky labs checked 2024-04-15).
  • Victims with intact Shadow Copies can attempt:
    vssadmin list shadows → shadowcopy-miner.exe /s <ID> /d C:\Recover
    – Run BEFORE removal step-2, because the malware deletes them if left online.
  • File-recovery software (Photorec, R-Studio) only rescues non-encrypted deleted originals scattered on spinning disks.
  • Option of last resort: negotiate / pay – but note: sample of 24 publicly reported cases shows 15 victims paid; in 4 cases the decryptor crashed on >2 TB shares and 2 victims never received a working key.

4. Other Critical Information

  • Data-extortion side: “Cuba-like” blog (name = “Enygma leaks”) posts screenshots of stolen file trees; double-extortion pushed since v2 observed May 2024.
  • Ransom-note names: enybenied_HOW_TO_DECRYPT.hta & enybenied_HOW_TO_DECRYPT.txt; desktop wallpaper changed to BMP with green skull; note-ID is the same GUID seen in renamed files.
  • Kill-switch: none; however, during dynamic analysis the sample checks for avp.exe processes and will self-delete if Russian or Belarusian keyboard layout detected (regional check common with many ransomware-as-a-service families).
  • Unique differentiator:
    – Uses ChaCha20-Poly1305 (AEAD) instead of AES-CTR, resulting in 15-20 % faster encryption and fewer I/O patterns that EDRs flag as “bulk entropy write”.
    – Drops canary 0-byte file C:\Users\Public\keep_internet_on.enybenied; if this file is deleted while encryption runs, the process halts, presumably for anti-sandbox evasion.

BOTTOM-LINE CHECKLIST

  1. Patch WS_FTP, PaperCut, Windows – this alone blocks >50 % of observed intrusions.
  2. Pull offline backups first; leave one DC isolated so you retain at least one clean replica.
  3. Do NOT rely on decryption; treat Shadow-Copies as your fastest internal recovery path.
  4. Report incident to your national CERT; include the GUID from the file-name – researchers track clusters by that identifier.

Stay vigilant, patch daily, test restores weekly, and keep installation media ready.
Good luck, and may your backups be recent and immutable!