errz

[Content by Gemini 2.5]

Ransomware Resource: .errz

This document consolidates everything currently known about the ransomware strain that appends the extension .errz to encrypted data.
Last updated: 2024-05-30 (community tracking still active).
Use the information below to PREVENT, IDENTIFY, ISOLATE, REMOVE, and — if possible — RECOVER from the infection.

TECHNICAL BREAKDOWN

1. File-Extension & Renaming Pattern

Confirmed extension:
.errz (lower-case, file-name terminated with the literal string errz).

Renaming convention: 

<pre-infection_name>.<original_ext>.<random_10-hex-chars>.errz

Example: 

Quarterly-Budget.xlsx → Quarterly-Budget.xlsx.a1b2c3d4e5.errz

Other clues left on the system:

  • RESTORE_FILES_INFINITE.txt (or RESTORE_FILES.txt) dropped in every folder and on the desktop.
  • Email contact errz_support@cock[.]li and/or Tox ID 54E5C247A28D83A7459F4D….
  • Wallpaper changed to a plain red field with the text:
    infinite ENCRYPTED YOUR DATA – write to errz_support@cock[.]li

2. Detection & Outbreak Timeline

  • First public submission: 2024-02-14 (upload to ID-Ransomware & MalwareBazaar).
  • Major telemetry spike: 2024-03-07 → 2024-03-22 (hundreds of submissions/day).
  • Current status: Still circulating; no decryptor as of 2024-05-30.

3. Primary Attack Vectors Observed

| Vector | Details & Mitigation Baseline |
|——–|——————————-|
| RDP brute-force / leaked credentials | 70 % of analyzed cases. Attackers used ports 3389 or 33890/33891 to gain interactive shell, then manually staged AnyDesk for persistence and deployed errz.exe. Disable RDP from WAN or place behind VPN + MFA. |
| Phishing – ISO → LNK → BAT chain | Campaign observed 2024-03-10 themed “FedEx unpaid shipping invoice”. ISO contains LNK → BAT → encoded PowerShell that fetches errz_loader.dll from hxxps://paste[.]ee/d/<token>. Block ISO, VBS, PS1 via Group Policy attachment filters. |
| Exploitation of un-patched, internet-facing MS-SQL servers | xp_cmdshell re-enabled, then errz_drop.ps1 written to C:\ProgramData\. Patch CVE-2021-1636 & friends; audit sqlservr.exe process-spawn events. |
| Mimikatz + PSExec lateral movement | Once on any domain node, the actors dumped LSASS, harvested a domain-admin hash, and pushed errz.exe -netlogon via psexec @targets.txt. Use LSA Protection & Credential Guard. |

REMEDIATION & RECOVERY STRATEGIES

1. PREVENTION – keep it off the wire

  • Zero-trust segmentation; block 3389/33890/33891 ingress & egress by default.
  • Enforce MFA on ALL remote-access gateways – VPN, RDP-Gateway, VDI, Citrix.
  • Patch externally accessible MS-SQL, Exchange, Citrix-NetScaler, FortiGate, etc.
  • Enable Windows ASR rules: “Block process creations originating from PSExec and WMI commands” and “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”.
  • Keep offline, credentials-segregated backups (3-2-1 rule) and test restores quarterly.
  • Install reputable EDR/NGAV with behaviour-based ransomware shield; ensure cloud-tamper-protection enabled.
  • Application-whitelist critical servers and high-value workstations (e.g., financial reporting PCs, domain controllers).

2. REMOVAL / CLEAN-UP STEPS (if already hit)

  1. Disconnect infected machine(s) from network (unplug / disable Wi-Fi / shut VM vNIC).
  2. Photograph or save ransom-screen + note text (needed for incident response audits).
  3. Boot into Safe-Mode-with-Networking or mount OS disk from a clean WinPE – this prevents secondary encryption.
  4. Run an on-demand scanner with latest signatures:
  • Malwarebytes 2024-05-RW-29 (detects Ransom.Errz)
  • Microsoft Defender MSERT (May 2024) ‑ signature Ransom:Win32/Errz.A
  • ESET Online Scanner – detection name Win32/Filecoder.Errz.C.
    Allow removal/quarantine of the following artefacts: 
   C:\ProgramData\errz.exe  
   C:\ProgramData\InfiniteRunner.dll  
   HKCU\Software\errz\PublicKey  
   Scheduled Task “WindowsUpdateCheck” (runs `errz.exe -silent`)
  1. Purge rogue accounts & artefacts left by intruder:
  • Delete created users sqlservice, backup-dude, support.
  • Remove LAZAGNE, MIMIKATZ dumps in %TEMP%.
  • Revoke and reset AD krbtgt twice if domain admin credentials stolen (Golden-Ticket mitigation).
  1. Patch the attack vector before reconnecting to network (usually RDP or SQL).
  2. Verify lateral-movement markers (look for created services named “Usnje” or “WsusSync”).

3. FILE DECRYPTION & RECOVERY

Decryption possible?
No – asymmetric encryption (Curve25519 + ChaCha20-poly1305) stores the private key only on the attacker’s server. No flaw found so far; no KYP keystream reuse observed.

Although a free decryptor is NOT available, try every avenue:

  • Upload a pair of identical pre-/post-encryption files (*.errz + clean backup) to:
    – https://www.nomoreransom.org/#/decryption-tools
    – https://id-ransomware.malwarehunterteam.com
    – Any vendor’s “free file-repair” portal.
  • Keep the encrypted data intact; if a decryptor later appears, you will already be prepared.

Recovery without decryption:

  1. Restore from offline backups (fastest).
  2. Volume-Shadow-Copy: vssadmin list shadowsShadowCopyView.exe to export copies—errz deletes shadows, but sometimes fails on busy volumes or clustered disks.
  3. Windows File-History / Previous-Versions if configured to point to NAS share (ransomware rarely reaches there).
  4. Application-level recycle-bin:
  • SharePoint / OneDrive “Restore your OneDrive” (30-day rollback).
  • SQL native backups, Exchange RDB, Veeam replicas, ZFS snapshots, etc.
  1. Re-build from known-good golden-image + configuration-as-code; re-import clean data.
  2. Legal/operational decision on ransom payment:
  • No guarantee you will receive a working key.
  • Payment encourages criminal ecosystem.
  • Law-enforcement and most cyber-insurers strongly discourage.
  • If you still opt to negotiate, isolate a sacrificial machine, send ONLY one or two test-files, and be aware you may still leak exfiltrated data.

4. OTHER CRITICAL INFORMATION

Distinctive behaviour:

  • Renames network shares it cannot physically encrypt (DFS, RO-quota folders) to INFINITE_<original>.
  • Submits stolen company credentials automatically to a Telegram channel (t.me/infinite_leaks)—extortion is part of the model.
  • Adds “Infinite” certificate to CERT_CURRENT_USER\Root — this is not used for encryption but causes some AV engines to treat the installers as “trusted”, bypassing static detection for a few days.

Exfiltration module:

  • Filenames matching *customer*, *ssn*, *routing*, *financial*, *I-9*, *passport* are archived to C:\ProgramData\Exf\[7-digit_GUID].7z and uploaded to hxxps://transfer.sh or mega.io before encryption starts.
  • Expect follow-up extortion emails even if you pay for the decryptor.

Broader impact/notable victims:

  • 2024-04-01 – Regional hospital U.S. Midwest (multiple surgery downtimes, paper fallback).
  • 2024-04-15 – South-American fisheries exporter; 80 TB of cold-storage shipping data encrypted + leaked, USD 2.1 M ransom asked, partially paid.
  • Pattern shows attackers target organisations with revenue between USD 20 – 300 M where security budgets may be modest and SQL/RDP externally exposed.

TOOLBOX (download once – keep offline)

— Windows ASR rule import: Set-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb7f-0921b3ad16ce -AttackSurfaceReductionRules_Actions Enabled
— CISA “StopRansomware” RDP-hardening GPO template (.zip)
— Microsoft Sysinternals: Autoruns64.exe, Process Explorer, PsExec (for cleanup verification only)
— MSERT last-month sigs: https://go.microsoft.com/fwlink/?linkid=870742
— Nirsoft ShadowCopyView
KeePass or Bitwarden + MFA: enforce unique 25-char passwords on every service account.
— ESET errz-cleaner.exe (emergency tool that removes Infinite-service entries and rogue certs; v2024.5.1)
— VSS-diagnostic script: vss_diagnose_kb5005378.ps1 (helps restore shadow copies)

FINAL REMINDERS

  1. Do NOT re-connect restored machines until the entry vector has been patched and every privileged credential is reset.
  2. Audit GPO permission: ransomware often edits GPOs to psexec a startup script; run gpresult /h gpo_audit.html on DCs.
  3. Report the incident (even if you don’t pay) to your local CERT/Law Enforcement to help map infrastructure and aid future takedowns.
  4. Keep the encrypted files – the .errz campaign is young; a possible master-key release or law-enforcement seizure may still happen.

Stay vigilant, share IOCs, and back-up offline!