everbe*

[Content by Gemini 2.5]

Everbe Ransomware Family (.everbe, .thunder, .embrace, .pain, .volcano, etc.)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extensions ever observed in the Everbe隊列:
    .[[email protected]].everbe
    .thunder
    .embrace
    .pain
    .volcano
    .[[email protected]].twist
    .light
    .babyk
    .quiet

  • Typical renaming convention:
    Original: Quarter-Q2.xlsx
    After encryption: Quarter-Q2.xlsx.[<unique-id>][<contact-e-mail>].<chosen-extension>
    Example: Quarter-Q2.xlsx.[B4DA0BEF][[email protected]].everbe

    The malware keeps the original file name, original extension, appends a 8-byte hex ID, the attacker e-mail address in square brackets, then the family-specific suffix. Directory-borne ransom notes are dropped as !=How_to_decrypt_files=!.txt or similarly named plain-text files.

2. Detection & Outbreak Timeline

  • First public sample: April 2018 (.everbe variant).
  • Major campaigns:
    – May-July 2018 – spam “job-application” wave distributing .embrace.
    – August 2018 – pseudo-South-Korean “browser patch” dropper pushing .thunder.
    – November 2018 – RDP brute-force clusters planting .pain.
    – March 2019 – .babyk build spread via cracked-software forums.
    – June 2021 – affiliate switch to “.quiet”; still circulating opportunistically.

3. Primary Attack Vectors

  • RDP brute-forcing / credential stuffing (most common infection path).
  • Malspam: fake invoices, resumes, COVID-19 forms carrying ISO/IMG → LNK → PowerShell → Everbe payload.
  • Exploit kits (Rig, Fallout 2018 builds) – Flash/Silverlight CVE-2018-4878, CVE-2016-0189.
  • Software cracks & keygens posted to warez sites (Babyk, Volcano).
  • No large-scale SMB exploit (EternalBlue) ever tied to Everbe – operators are financially-driven “human-operated” attackers, not worm-style.
  • Lateral movement performed manually with Cobalt Strike, PsExec, WMI once an RDP session is obtained.

Remediation & Recovery Strategies

1. Prevention

  • Disable RDP if unused; otherwise enforce:
    – Network Level Authentication
    – 2-FA (Azure AD, Duo, etc.) or at minimum IP-whitelisting, account lock-out 3/30 policy, strong 14+ character passwords.
  • Segment networks – block TCP/135,139,445,3389 between user VLANs.
  • Patch public-facing software (Flash, Silverlight, browsers, MS Office, VNC, AnyDesk).
  • Disable Office macros by GPO; block ISO/IMG at the mail-gateway; use the “Mark-of-the-Web” bypass mitigations released by Microsoft (ADV220001).
  • Backups 3-2-1 rule: offline/off-site copy with immutable object-lock. Everbe searches and deletes Volume Shadow copies (vssadmin delete shadows /all) so backups must be outside the authenticated domain.
  • Application whitelisting (Windows Defender Application Control or AppLocker) blocks unsigned executables launched from %TEMP% and %APPDATA%.

2. Removal (step-by-step)

  1. Physically isolate the machine; remove Ethernet/Wi-Fi.
  2. Collect triage: full memory dump, prefetch, Master File Table, Event logs before any reboot.
  3. Boot trusted incident-WinPE (Kaspersky Rescue, ESET SysRescue) → back up encrypted data first (in case removal damages files).
  4. Run reputable AV engine with Everbe signatures (Microsoft, ESET, Kaspersky, Sophos, Bitdefender all detect it generically as Ransom:Win32/Everbe, Troj/Ransom-EW, etc.).
  5. Manual cleanup leftovers:
    – Scheduled tasks "Bvhost.exe", "MicrosoftUpdate"
    – Service entries referencing random-named *.exe under %ProgramData% or %APPDATA%.
    – Registry Run keys containing hard-coded e-mail address (everbe@safesuremail, [email protected]).
  6. Patch the initial vector (reset breached account, install OS updates).
  7. Only after the environment is declared clean proceed to restore or decrypt.

3. File Decryption & Recovery

  • Everbe is an “OFFLINE” ransomware family – it generates a per-victim symmetric key, encrypts with RSA-1024 public key embedded in the binary. The corresponding private RSA key is held ONLY by the attacker.
  • No free universal decryptor exists – Kaspersky’s Rakhni, Emsisoft, Avast, nor NoMoreRansom currently hold compatible keys.
  • Shaded attempts to “brute” 1024-bit RSA are computationally infeasible.
  • Recovery path:
    – Restore from clean offline backup.
    – If no backups exist, store the encrypted data and ransom note in cold storage; occasionally criminals release master keys years later (hasn’t happened yet for Everbe).
    – You can contact incident-response firms to negotiate/purchase the private key – expect demands 0.1-0.3 BTC for individuals, 1-5 BTC for businesses.
  • For the unrelated “Everbe 2.0 – Decryptor” scam pages: do NOT download “free decrypt tools” offered by 3rd-party blogs; many bundle data-stealers.

4. Other Critical Information

  • Unique characteristics:
    – Everbe is “human-operated” not a worm – each attack is customised; ransom notes therefore contain varying contact addresses and differing Bitcoin wallets, complicating IOC block-lists.
    – The Trojan will not encrypt files < 30 bytes, *.exe, *.dll in %WINDIR%, or any file/folder containing string backup (trying to avoid destroying its own dropped note and victim backups on same drive).
    – It clears another criminal group’s ransomware (Scarab) if present – balling victims twice is bad for “business”.
  • Wider impact:
    – Concentrated against small-medium business in Asia, Eastern-Europe, South-America.
    – Attackers collect and publish 2-5 % of stolen victim files on Tor “leak blog” when r unpaid, introducing a mild data-breach risk on top of encryption.

Key Verdict

Everbe is still active, decryptable only with the attacker-held private RSA key. Your best and cheapest option is: prevent, detect early, and have tested offline backups. If already hit, remove the malware cleanly, rebuild the systems, restore data, then implement the prevention checklist above—do not rely on a free decryptor that currently doesn’t exist. Stay safe, patch well, and keep one copy of your backup where ransomware can’t reach it.