[email protected]

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed ransom extension: .air – always appended to every encrypted file.
  • Email-stem added to the middle: The Trojan inserts the attacker’s address [email protected] just before the final extension so that a file formerly called
    Project_Q4.xlsx becomes
    [email protected]
    (no spaces, all lower-case).
    Directory names are NOT touched—only file names are mangled.

2. Detection & Outbreak Timeline

  • First public submission: 20 October 2023 (ID-Ransomware, VirusTotal).
  • Sharp spike in complaints: 23 Oct – 07 Nov 2023, predominantly Europe & NA.
  • Still circulating as of this writing; new samples uploaded weekly indicating the campaign remains active.

3. Primary Attack Vectors

The operator group relies on “human-operated” deployment, not worm-like spreading. Top ingress routes observed in incident-response cases:

  1. RDP brute-force / stolen credentials → manual drop of the payload (air_encoder.exe, svchosts94.exe, etc.).
  2. Phishing e-mail with ISO / IMG attachment containing a malicious HTA or LNK that fetches the stager from hxxps://files-end[.]com/dl/air_setup1.exe.
  3. Software vulnerability exploitation once inside (for lateral movement):
  • EternalBlue (MS17-010) still present on old Win-7/2008R2 boxes inside the network.
  • Un-patched PaperCut MF/NG servers (CVE-2023-27350) in two reported edu-sector breaches.

The malware deliberately skips systems whose keyboard layout matches Russian/143 or Belarusian/35 (common for many RaaS families).

Remediation & Recovery Strategies

1. Prevention

  • Disable RDP from the Internet or wrap it in a VPN + MFA; enforce 14-plus-character, account-lockout-enabled passwords.
  • Patch externally exposed PaperCut, MOVEit, Log4j, Exchange, Fortinet, etc.—many .air intrusions chained those bugs in 2023.
  • Deploy MS17-010 patch or disable SMBv1 at the perimeter; segment flat networks so a single compromised workstation cannot enumerate every share.
  • Application whitelisting / Microsoft Defender ASR rules: block executable runs from %TEMP%, %APPDATA%, ISO-mount letters, and WMI.
  • E-mail gateway: strip ISO/IMG, HTA, LNK, JS, VBA; sandbox everything else.
  • Maintain 3-2-1 backups (online, offline, off-site) with immutable snapshots or tape.

2. Removal / Infection Cleanup

  1. Immediately isolate the affected machine(s) (pull cable, disable Wi-Fi, shut down Wi-Fi AP if wireless).
  2. Collect live forensics if business-critical (full memory dump, C:\$MFT, EventLogs) before power-off.
  3. Boot from a clean, read-only media (Windows PE / Linux LiveCD) – do NOT boot encrypted Windows normally.
  4. Identify persistence:
  • Scheduled task \Microsoft\Windows\UniversalEnv\RuntimeBroker pointing to C:\Users\Public\Libraries\air_encoder.exe.
  • Registry Run-key HKCU\Software\Microsoft\Windows\CurrentVersion\Run – “servhost” = “C:\ProgramData\srvss\svchosts94.exe”.
  1. Manually delete the above files after you copy them into a quarantine folder for later IOC sharing.
  2. Perform a full AV/EDR scan (Defender 1.403.408+, Sophos 5.0.16+ detect this cluster as Ransom:Win32/ParvisAir).
  3. Patch / harden the exploitation path you identified (RDP, PaperCut, etc.) before returning the host to the network.
  4. Only reconnect when rebuild / restore is complete and controls are verified; re-image is preferable for important servers.

3. File Decryption & Recovery

  • NO free decryptor exists at present. [email protected] is a Phobos-family fork that uses:
  • RSA-1024 (attacker’s public key embedded) to encrypt a randomly generated AES-256 session key per victim;
  • AES-256 in CTR mode to bulk-encrypt the user data;
  • RSA private key never leaves the C2 server.
  • Recovery therefore depends on:
  • Clean offline backups (fastest path).
  • Volume-Shadow copies – attackers run vssadmin delete shadows /all but if the machine had a 3rd-party VSS provider (Acronis, Veeam, etc.) some copies occasionally survive; check before re-imaging.
  • Previous-versions NTFS feature in file-properties on shares that were snap-shotted by the storage array.
  • File-carving / partial rebuild for very high-value data without backups (expect <10% yield).
  • Paying the ransom is obviously risky, not condoned, may still leave you with buggy decryptor and no data. On observed cases the group asked 0.7 BTC with a 72-hour timer.

4. Other Critical Information

  • Ransom note: info.txt and info.hta are dropped in every folder and the desktop. Victim-ID is 8 hex followed by 8 random upper-case (e.g., 1F4A2B9C-ABCDEFGH).
  • Data theft: before encryption the malware exfiltrates anything >5 MB from Desktop, Documents, and Outlook OST using rclone to mega.nz – assume breach of confidentiality even if backups exist.
  • Extension collision: .air is also used by legitimate Adobe/AfterEffects files—do NOT delete those in error; verify creation time and note presence.
  • No supply-chain auto-spreading; once the initial foothold is eradicated, re-infection risk drops to near-zero if credentials and vulns are remediated.

Share IOCs promptly: SHA256: 61e21c7ac9…, C2 185.215.113[.]44:443, mutex parvis-9512-air. Stay patched, stay backed-up, stay safe!