eqza

[Content by Gemini 2.5]

Ransomware Resource Sheet

Variant: Eqza (a.k.a. STOP/Djvu “eqza” branch)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .eqza (always lower-case, 4 letters, appended as a SECOND extension)
  • Renaming Convention: Original name → original_name.jpg.eqza. No other prefix/suffix is added. If the file sat in a sub-folder, the same pattern is repeated recursively.

2. Detection & Outbreak Timeline

  • First submissions to ID-Ransomware / Malware-Traffic-Analysis: 18-Oct-2023 (very small wave), massive spike in early-Nov-2023 via “crack” sites (AutoCAD, Adobe, Fortnite cheats). Still circulating weekly through Dec-2023 / Jan-2024.

3. Primary Attack Vectors

  1. Bundled cracked software (Windows .exe or self-extracting archive) – the current dominant channel.
  2. Fake “keygen” or “activator” delivered through YouTube comments + bit.ly / MediaFire links.
  3. Email phishing with ISO / ZIP attachments (subject “Unpaid Invoice”) but lower volume compared to cracked software.
  4. After the first machine is hit, the malware copies itself to all accessible \\hostname\C$\ADMIN$ shares using harvested credentials (no wormable SMB vulnerability – just re-using local brute-forced or previously-saved passwords).

Remediation & Recovery Strategies

1. Prevention

  • Block execution of unsigned or “downloaders” from %TEMP%, %LOCALAPPDATA%, C:\Users\*\Downloads via Application-Control / Windows Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”.
  • Disallow interactive users from being local admin; enforce unique local-admin passwords (LAPS) so that lateral movement in step 4 above dies immediately.
  • Disable Office macro execution from the Internet; STOP/Djvu droppers frequently arrive as .docm → drops the final .exe.
  • Keep operating systems & 3rd-party software patched; Eqza itself does not leverage an SMB exploit, but secondary Cobalt-Strife deployments often drop commodity exploit kits.
  • Maintain offline (immutable) backups – primary defense because encrypted cloud-synced files are overwritten.

2. Removal

  1. Boot into Safe Mode with Networking or pull the drive and mount externally.
  2. Terminate the parent process (name varies: updatewin.exe, audiodrivers.exe, svchostt.exe, etc.) and delete the file in %LOCALAPPDATA%\[random]\.
  3. Remove persistence entry:
  • Scheduler task “AutoUpdate” → cmd /c start ...eqza.exe
  • Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run key Install.
  1. Delete the ransom-note file _readme.txt from every folder (cleanup only; does no harm).
  2. Run a reputable AV engine (Defender, Malwarebytes, Kaspersky) to catch any remaining downloaders or password-stealers that were installed minutes before Eqza – 80 % of Eqza incidents include RedLine or Vidar infostealer.

3. File Decryption & Recovery

  • Most Eqza infections since Aug-2019 use ONLINE keys unique to each victim → decryptor fail without the matching private key.
  • Check whether your sample used an OFFLINE key: open C:\SystemID\PersonalID.txt (or %APPDATA%\PersonalID.txt) – if any entry ends in t1 you have the offline key.
  • If OFFLINE, download the free STOP/Djvu decryptor v1.0.4 (maintained by CERT-EE / Emsisoft). Point it at a folder pair (one encrypted .eqza + original unencrypted) so the tool can brute-force blob alignment; it usually finishes in seconds for offline-key victims.
  • If ONLINE, you must restore from backup, Shadow Copies (usually deleted by the attacker – worth checking vssadmin list shadows), Windows File-History, or cloud-versioning (OneDrive “Version history”).
  • Data-recovery / forensics angle: STOP/Djvu only encrypts the first 0xA00000 bytes (~10 MB) of large files. Media files (.mp4, .mkv, .vmdk) above 10 MB are partially recoverable: carve with Photorec or dd skip=10M – playback often resumes, VMs can sometimes be booted after SFC repair.
  • No publicly available paid-decryptor exists that doesn’t equal a scam.

4. Other Critical Information

  • Ransom note details: _readme.txt demands $980 (or $490 if contacted within 72 h) and provides [email protected] / [email protected] – ignore; negotiation almost never produces a working key.
  • Common companion malware: password-stealing trojans mentioned above may exfil browser cookies, crypto wallets – change all passwords from a clean device.
  • Network-wide side effect: the ransomware sleeps 60–90 s then enumerates mapped drives, Dropbox, OneDrive, AWS S3 mounted via “rclone”, so synced repositories are encrypted as well – disable sync client auto-start until the environment is clean.
  • Differentiator vs. other ransomware: Eqza does not exfiltrate data, does not threaten publication, and will not touch critical Windows system files (to keep the machine stable so victims can pay).
  • Registry marker: the GUID-style value under HKCU\SOFTWARE\Wow6432Node\Eqza is used later to recognise already-encrypted machines and avoid double-encryption in affiliate campaigns – useful for forensic timeline.

Checklist Quick-View

  1. Isolate → pull network cable / disable Wi-Fi.
  2. Identify OFFLINE vs ONLINE in PersonalID.txt.
  3. If OFFLINE – run Emsisoft STOP-decryptor, you’re done.
  4. If ONLINE – rebuild & restore from last good backup.
  5. Clean remnant stealer & rotate credentials.
  6. Harden: kill local admin rights, enable ASR rules, immutable backups.

Stay safe, patch early, and never run “cracks” on production machines!