eqew

[Content by Gemini 2.5]

Ransomware Brief: The .eqew File Extension (STOP/Djvu Strain)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension added: .eqew (always lower-case)
  • Renaming convention:
  • Files keep their original name + original extension + new suffix, e.g.
    Report_Q4.xlsxReport_Q4.xlsx.eqew
  • Re-encrypted files that already carried a different Djvu extension receive a second layer, so the string .eqew is merely appended again (e.g. file.txt.lalo.eqew)
  • Icons disappear and Windows now treats the item as an “EQEW file”

2. Detection & Outbreak Timeline

  • First cluster of submissions: late-November 2022 (27 Nov 2022 first public upload on ID-Ransomware)
  • Peak activity spikes: Dec 2022–Jan 2023; continual background presence ever since
  • No change in encryption algorithm or key material since the strain appeared → still fully compatible with the offline-key decryptor maintained by Emsisoft

3. Primary Attack Vectors

  1. Malicious e-mail attachments or fake “crack” downloads (most common in 2024 campaigns)
  2. Pirated-software torrents / “keygen” bundles seeded on public trackers (classic Djvu vector)
  3. Exploit kits on pirate streaming sites (Rig, Fallout) that still push older Djvu loader binaries
  4. Secondary infection chain: 
   SmokeLoader / ZLoader → Cobalt-Strike BEACON → .eqew dropper

(Observed when the victim already had an info-stealer foothold)

  1. No reliable use of worm-like SMB or RDP exploits—propagation is “human-driven” (the user must execute the dropper)

Remediation & Recovery Strategies

1. Prevention

  • Disable Windows Script Host (WSH) & macro execution for users who do not need them
  • Use application whitelisting (Microsoft Defender Application Control, AppLocker, WDAC) to block unsigned binaries in %TEMP% & %APPDATA%
  • Keep browsers fully patched; Djvu still abuses older CVE-2021-40444-style MSHTML bugs via fake codec updates
  • Block attachments with “double extensions” (e.g. invoice.pdf.js) at the mail-gateway level
  • Segregate privileged credentials; infection normally runs with the rights of the interactively logged-on user—limiting blast radius if that user is non-admin
  • Maintain offline, versioned backups (3-2-1 rule). Cloud-sync folders alone are not sufficient—Djvu encrypts those too

2. Removal

  1. Physically disconnect the host from any network share immediately after noticing the ransom note (_readme.txt)
  2. Boot into Safe Mode with Networking (or use a second “clean” OS instance)
  3. Delete the持久化 entries:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
  • Scheduled Task named "Time Trigger Task" (%SystemRoot%\System32\Tasks\Time Trigger Task)
  1. Remove the randomly-named loader (C:\Users\<user>\AppData\Local\Temp\5-char-name.exe) and its copy in %ProgramData%
  2. Run a reputable anti-malware engine (Defender, Malwarebytes, ESET, Kaspersky) in full-scan mode to pick up artefacts left behind (usually PUA:Win32/NSISInstaller or Trojan:Win32/Stelega)
  3. Reboot normally, verify that no _readme.txt pop-ups appear, and that no new files become encrypted

3. File Decryption & Recovery

  • Offline-ID infections: decryptable for free
  • Download Emsisoft STOP/Djvu Decryptor (signature ≤ 2024-06-07)
  • Supply a pair of an original & encrypted file (>150 kB each, same file) → the tool can recover the 256-bit offline key locally
  • Online-ID infections (server-generated key per victim):
  • No free decryptor; only option = restore from backup or pay the ransom (not recommended)
  • Hybrid case: some files encrypted while offline, others while online – the decryptor will list the percentage that can be salvaged
  • Shadow Copies: usually wiped (vssadmin delete shadows /all) but always run ShadowExplorer or vssadmin list shadows to confirm
  • Essential quick-hardening patch set (still unpatched on many home machines):
  • Microsoft Office: KB5002427 (blocks old MSHTML vector)
  • Windows 10/11 cumulative (any 2023-10B or newer) – contains Djvu-specific detection rules in Defender AV engine 1.391.634.0+

4. Other Critical Information

  • Ransom note: always drops two copies: _readme.txt on the desktop & the root of every encrypted drive
    Demand: $490 if paid within 72 h, then $980 (e-mail addresses rotate: currently [email protected] & [email protected])
  • Does not exfiltrate data – no evidence of double-extortion; therefore no “leak site”
  • Unique trick in .eqew build: explicitly removes Windows default service “SecurityHealthSystray” entry so the Defender shield icon disappears from the tray—users often notice only after encryption is finished
  • Broader impact: because Djvu is still the most submitted ransomware family to ID-Ransomware, .eqew prevalence keeps the STOP/Djvu statistics artificially high; most victims are consumers in Europe, South America, and South-East Asia who download wareZ

Bottom line: Patch piracy habits, keep offline backups, and run the free Emsisoft decryptor on any .eqew hit—there is an excellent chance you will get your data back without funding criminals.