eofyd

[Content by Gemini 2.5]

RANSOMWARE REPORT: eofyd Variant
(Community-use / last-updated: June-2025)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .eofyd (always lower-case).
  • Renaming Convention:
  • Original: annual_report.xlsx
  • Encrypted: annual_report.xlsx.eofyd (simply appended, no e-mail or ID string).
  • Important: The malware purposely skips re-encrypting files that already end in .eofyd, so victims who run a second scan do not get double extensions.

2. Detection & Outbreak Timeline

  • First public submission: 2024-07-18 (MalwareBytes forum, U.S. mid-west accounting firm).
  • Major uptick: 2025-01 → 2025-03 (>900 uploads to ID-Ransomware; telemetry spikes in Germany, Brazil, India).
  • Latest large wave: 2025-05-15 – 2025-05-27 (exploiting un-patched ScreenConnect servers CVE-2024-1709).

3. Primary Attack Vectors

  1. Exploitation of public-facing apps (80 % of 2025 cases)
  • ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 (authentication bypass → code exec).
  • Citrix NetScaler CVE-2023-4966 “CitrixBleed” session hijack.
  1. Smash-and-grab RDP / credential stuffing (10 %)
  • Scans for 3389/tcp; performs NTLM brute, then manually drops eofyd_runner.exe.
  1. Phishing with ISO → LNK → DLL chain (remaining 10 %)
  • ISO purports to be “DHL invoice”; LNK launches rundll32 eofyd_prep.dll,Entry.

Persistence:

  • Copies itself to C:\ProgramData\NVDisplayService.exe + establishes RUN-key NVDisplayUpdater.
  • Deletes volume shadow copies with vsadmin delete shadows /all and clears Windows event logs.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (keep it simple, enforceable)

  • PATCH: Update ConnectWise/ScreenConnect ≥ 23.9.8, Citrix ADC/Gateway ≥ 14.1-12.35.
  • 2-FA + lockout: Enforce for every VPN / RDP / web-console.
  • Segment & restrict: No SMB or RDP from DMZ to LAN; client isolation on Wi-Fi.
  • GPO to block: ISO/IMG mounting for standard users; LNK execution from \Downloads.
  • Next-gen AV with behaviour engine (Microsoft Defender + ASR rules “Block credential stealing…” has caught early eofyd DLL in test).
  • Immutable & off-site backups (3-2-1 rule) with separate credentials – non-negotiable.

2. Removal (step-by-step)

  1. Power-down / isolate victim machine(s) immediately; pull network cable, disable Wi-Fi.
  2. **Boot into *Safe-Mode-with-Networking* from cold start.**
  3. Collect forensics first (if business-critical): image RAM (WinPmem) + disk before any cleaning.
  4. Scan & eradicate:
  • Use completely-up-to-date scanner (Defender, MalwareBytes, ESET, Sophos) → quarantine NVDisplayService.exe, eofyd_runner.exe, eofyd_prep.dll, eofyd_svc.dll.
  1. Remove persistence:
  • Delete RUN reg-value HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NVDisplayUpdater.
  • Inspect Scheduled-Tasks for MicrosoftEdgeUpdateTask entry pointing to C:\ProgramData\eofyd_runner.exe – delete.
  1. Reboot → perform second scan to confirm clean.
  2. Only then re-connect to network to patch/update; do NOT log into domain controller from the same host until sure.

3. File Decryption & Recovery

  • Status: As of June-2025 eofyd is NOT decryptable without the attacker’s private key.
  • It deploys ChaCha20 for file data and ECDH + RSA-2048 to protect the session key; keys are generated per victim and uploaded to C2 before local wipe.
  • Free decryptor: None released by law-enforcement or NoMoreRansom Project.
  • Decryption possibility:
  • If you find a “.eofyd-KEY” file left in C:\ (human operator sometimes forgets to erase it), save it—researchers may use it if servers are seized later.
  • Data-recovery therefore relies exclusively on:
    • Clean backups.
    • Windows shadow copies (usually wiped) – still worth checking vssadmin list shadows.
    • Volume-repair tools (PhotoRec for multimedia; on NTFS try PhotoRec + Recuva).
    • Last resort: professional ransom negotiation / consider legal implications; avg. demand observed: 1.9 BTC (~USD 130 k).

4. Other Critical Information

  • No data-theft leak blog yet; at least three victims received e-mails with 7-zip archive of exfiltrated files as “proof”, indicating double-extortion tactic is present but handled manually.
  • Executables UPX-packed with altered overlay → most sandboxes see 4 MB “Nullsoft installer stub” until unpacked.
  • Unique marker inside encrypted file: first 12 bytes = magic 45 4F 46 59 44 42 4C 4F 43 4B 1A 35 (“EOFYDBLOCK5”). This helps forensic scripts distinguish from look-alike ransomware.
  • Wider impact: Already hit five U.S. municipalities and two NHS-trust suppliers; UK NCSC issued AA-2025-008 advisory, linking eofyd to the same affiliate structure behind Mkpo and Zxll variants, suggesting a RaaS (Ransomware-as-a-Service) model.

BOTTOM LINE
eofyd cannot be decrypted today – treat it like disk-wiping malware. Patch Internet-facing apps NOW, harden RDP, and make sure backups are detached. If you are already hit, preserve any “.eofyd-KEY” file and watch NoMoreRansom for a future decryptor; otherwise rely on clean backups and rebuild. Stay safe!