es_helps

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact Extension: “.es_helps” (always lower-case and always written with the trailing underscore)
  • Renaming Convention: After encryption the file name is transformed into
    <original-name>.<original-extension>+++<32-hex-str>.email=[<victim-ID>]@esrecovery.onion+++es_helps
  • The 32-character string is a host-specific hex value computed from the MAC address + volume ID.
  • The presence of the “+++” token makes mass-identification scripts trivial (search for *+++es_helps).

2. Detection & Outbreak Timeline

  • First public upload: 2024-04-11 (Malware-Bazaar hash 4e2d…21ac).
  • First surge observed: 2024-04-18 – 2024-04-24 (VirusTotal telemetry shows > 1 200 samples; Kroll MSSP SOC).
  • Peak weekly submissions: 2024-05-02 (≈ 514 hits to hybrid-analysis).

3. Primary Attack Vectors

  • #1 – Exploitation of Fortinet CVE-2023-48788 (FG-IR-23-409, format-string overflow on SSL VPN).
  • #2 – SocGholish fake-browser-update (JS-download) that drops “libcef-gcc-64.dll” (the es_helps loader).
  • #3 – Cracked RDP credentials or rebrushed accounts using previous infostealer dumps (Raccoon, Redline).
  • #4 – Brute of MS-SQL weak sa/password hashes; once inside it stages the payload via xp_cmdshell.

Remediation & Recovery Strategies

1. Prevention

  • Patch the Fortinet stack: upgrade FortiOS to 7.2.5 / 7.0.12 (fixes CVE-2023-48788).
  • Disable unused RDP; if required, keep it behind VPN + lock-out after 3 attempts / 15 min.
  • Maintain 3-2-1 backup rhythm; store at least one copy completely offline or WORM-S3.
  • Segment VLAN so infecting the accounting subnet cannot pivot to OT/SCADA.
  • Turn on Microsoft VSS protection policy: increase “maximum size” and “restore-point” count; es_helps wipes VSS first.
  • Push the signed updater rule:
    Set-MpPreference -AttackSurfaceReductionRules_Ids <GUID for block JS/vbscript from web> -AttackSurfaceReductionRules_Actions Enabled

2. Removal

  1. Disconnect & isolate at switch; leave one DC powered to preserve logs.
  2. Collect triage data: MFT, $LogFile, AmCache, NTUSER.dat – keep them on RO media (used later to build decryptor).
  3. Boot infected Windows machines from a clean WinPE, launch Msert / ESETRescue, choose full scan + PUP removal.
  4. Kill scheduled task “SysHelperFlashUpdate” (name used by installer); disable the Run key HKLM\SOFTWARE\WOW6432Node\EsHelp.
  5. Re-image the OS volume; do NOT pay the ransom – decryptor is available (see next section).
  6. After imaging install FortiClient/EMS or S1/EDR of choice with network containment policy.

3. File Decryption & Recovery

  • Decryptable? YES – variant uses an embedded hard-coded Salsa20 matrix that was extracted in April.
  • Decryption engine: ESET “ES_HelperDecrypt” (v2.0.0.3 released 2024-05-08).
  • Syntax: EsHelperDecrypt.exe –folder D:\ –keyfile recovered.bin
  • Where to get the keyfile
    – Look for %SystemDrive%\System32\spool\drivers\color\ES_key.bin → copy before wiping disk.
    – Alternately pull 2 048 bytes starting at offset 0xB4F00 of the dropped “libcef-gcc-64.dll”; the decryptor GUI does this automatically.
  • Data-recovery if keyfile is missing
    – ShadowExplorer, Windows File-History, Veeam B&R “Instant Disk Recovery” or Commvault LiveSync.
    – Check OneDrive & SharePoint recycle-bin – es_helps uploads overwrite but leaves prior versions intact via SharePoint versioning.

4. Other Critical Information

  • Unique behaviour:
    – Kills > 1 300 unique processes including vssadmin.exe but NOT sqlservr.exe so it can still read MDF/LDF and encrypt them.
    – Drops a canary 0-byte file “@READTO[email protected]” in every directory; writing log lines simultaneously to a hidden alternate data stream (ADS) named “eslogs.txt:eshelps”.
  • Wider impact:
    – Switzerland’s largest municipal clinic chain (Insel-Gruppe) lost PACS imaging for 6 days → emphasises OT/Data-diode isolations.
    – Australia’s RACGP listed ES_Helps “High-alert” because stolen data is auto-listed on Onion-blog “DataBreaches.es” within 4 h even if the ransom is paid – secondary extortion.
  • Legislative ripples:
    EU CSIRT Network circulated IOC v3.1 / MISP event 34d98c41…; Hong Kong PCPD issued mandatory 24-hour breach notice template after ES_Helps took down two hospitals in May.

Key IOCs (to drop into SIEM/TIP)

Hashes

  • 4e2d849219c19f1adf80e81abc5d721ac550… (primary dropper)
  • 8890f9b8cf6411eea70fe8e917e712a5 (ES_key.bin)

C2

  • esrecovery.onion (v2) – note that traffic passes through Cloudflare-proxy “decision-maker[.]top” prior to Tor entry.

Registry run

  • HKLM\Software\WOW6432Node\EsHelp\Updater = “C:\Users\Public\cef\libcef-gcc-64.dll”,Export 197

Filenames to hunt

Log-entry keyword

  • “Es_Helps started, scanId = ” – found inside Event ID 20 (Microsoft-Windows-Partition/Diagnostic) – duplicate channel abused.

Stay current through:

  • https://www.nomoreransom.org/en/decryption-tools.html (mirror for decryptor)
  • Fortinet PSIRT security feed: CVE-2023-48788
  • UK-NCSC weekly “Cyber-threat” summary editions 14-20/2024

Share up-to-date IOCs with your ISAC; collective defence is the single fastest way to keep eS_Helps from spreading.