Ransomware deep-dive: the “.evolution” (Evolution) strain

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed extension: .evolution (lower case, no second-level suffix).
Renaming convention:
original_name.ext.[victim_id].[attacker_email].evolution
Example:
Budget2024.xlsx → [email protected]
The 8-byte victim ID is generated from the system’s MAC address + XOR key; the e-mail address varies by affiliate campaign ([email protected], [email protected], etc.).

2. Detection & Outbreak Timeline

First public sightings: 18 Oct 2023 (uploaded to ID-Ransomware & VirusTotal from South-America).
Surge period: Nov-Dec 2023 (English- and Spanish-language spam waves).
Still active as of April 2024; new builds with minor packing changes observed every 3-4 weeks.

3. Primary Attack Vectors

Phishing with ISO / IMG lures → contained .BAT or .NET loader → Evolution DLL (x64).
RDP brute-force → PSExec / WMI to push evol_lateral.exe.
Exploits:
– Log4Shell (CVE-2021-44228) on publicly-facing VMware Horizon, an old path to initial drop.
– PaperCut MF/NG (CVE-2023-27350) used in Jan-2024 wave.
Living-off-the-land:
– Uses nltest /domain_trusts and arp –a to map targets.
– Deletes VSS with vssadmin delete shadows /all /quiet and WMIC shadowcopy delete.
– Clears Windows Event Logs (wevtutil cl …) to hinder forensics.

Remediation & Recovery Strategies

1. Prevention

Disable/restrict: RDP (or enforce 2FA + GPO “Network Level Authentication”), SMBv1, and any un-needed Tomcat/Log4j services.
Deploy:
– CVE-2021-44228, CVE-2023-27350 patches.
– Current Windows cumulative updates (Evolution abuses only known, already-patched privilege-escalation flaws).
E-mail filters: strip ISO, IMG, VHD, and macro-enabled docs by default.
Application whitelisting / WDAC blocks unsigned binaries such as evol_lateral.exe.
Segment networks, disable Domain Users from local admin, and back-up to immutable storage (Veeam Hardened Repo, AWS S3 Object Lock, etc.).

2. Removal

Isolate the machine(s) from network (pull cable / disable Wi-Fi).
Collect volatile evidence if needed (memory dump, ShimCache, Amcache) then power down.
Boot from a clean remediation USB:

Delete scheduled tasks \Microsoft\Windows\EvolutionBackup and \EvolStart.
Remove registry persistence at HKLM\SOFTWARE\EVOLUTION and HKCU\SOFTWARE\EVOLUTION.
Delete binaries:
– %ProgramData%\evol64.dll
– %TEMP%\evol_lateral.exe
– %APPDATA%\evol\evol_svc.exe

Run a reputable AM/EDR scan to catch helper scripts and Cobalt Strike beacons often dropped prior to Evolution.
Patch/review any exploited product (PaperCut, Log4j, etc.) before reconnecting to network.

3. File Decryption & Recovery

No flaw has been found in Evolution’s Salsa20+ECIES implementation; the asymmetric private key remains only with the actor.
Therefore OFFLINE decryption is impossible without paying (not recommended).
Free recovery:
– Check Volume-Shadow copies (vssadmin list shadows) — Evolution usually deletes them, but occasionally fails on large drives.
– Examine endpoint backup agents (Code42, Druva, Acronis) that may have last-minute snapshots stored outside VSS.
– Use file-carving tools such as PhotoRec or Kroll RecycleInspector against un-allocated clusters; Evolution does not wipe originals, so partial recovery is sometimes possible.
No Kaspersky nor Avast decrypter exists; any site promising an “Evolution decryptor” is a scam.

4. Other Critical Information

Evolution is an affiliate-driven RaaS written in C++ with a Rust-based locker beta (Q1-2024); the core payload is x64 only, so 32-bit machines are skipped but can still spread the malware laterally.
Embedded process-kill list of 920+ apps (SQL, Exchange, PowerShell, LOB apps) to unlock data prior to encryption.
Drops Readme_Evolution.txt + desktop wallpaper; ransom note lists two e-mails and a TOR url; current demand averages 0.07 BTC per工作站, ~1.2 BTC for entire networks, with a 72-hour “discount” timer.
Notable impact: Hit three regional hospital groups in LATAM (Nov 2023) and several U.S. school districts (Jan 2024), forcing class closures due to lack of segmented backups.
Post-exfil: Affiliates routinely exfiltrate sensitive folders via rclone to Mega & Dropbox, then threaten “open publication” if payment negotiations stall. Assume breach notification duties (HIPAA, GDPR, state privacy laws).

Key Tools / Patches Checklist

MSFT Guide for securing RDP: https://learn.microsoft.com/security/compass/rdp-best-practices
PaperCut hot-fix (CVE-2023-27350): Upgrade to 20.1.8, 21.2.11, or 22.0.9+
PaperCut indicator script: https://github.com/papercut-io/scan-for-cve-2023-27350
CISA Log4j scanner: https://github.com/cisagov/log4j-scanner
EvolutionEncryptedFile-Checker (Community script—verifies Salsa header signatures to confirm infection vs generic crypto)
immutable-backup reference architecture (NIST): https://www.nist.gov/cybersecurity

Stay vigilant, maintain offline-tested backups, and never expose un-patched public services to the internet—Evolution keeps iterating, but solid security hygiene still outpaces its affiliates.