excuses

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renishing Patterns

  • Exact extension used: .excuses (the ransom-note and encrypted files both drop this txt-icon extension)
  • Renaming pattern: After encryption the malware deletes the original file and writes a new file named exactly as the original but with “.excuses” appended →
    Quarterly-Report.xlsx becomes Quarterly-Report.xlsx.excuses
  • Volume label wipe: all drives have their NTFS volume-label overwritten with the string “SORRY-FOR-FILES” so Windows Explorer shows “SORRY-FOR-FILES (E:)” instead of the normal name.

2. Detection & Outbreak Timeline

  • First public samples: 03-Mar-2019 (Malware-Bazaar, Twitter)
  • Peak surge: 08-Mar-2019 – 15-Mar-2019 (dozens of corporate intranet incidents reported to ID-Ransomware & Bleeping-Computer forums, mostly in N. America & Germany)
  • Still circulating: new variants with build time-stamps as late as Dec-2022; every new wave adds +1 to the embedded version string (currently v4.1)

3. Primary Attack Vectors

The samples analysed so far rely on three infection vectors, usually chained together inside the same intrusion:

  1. Default / weak RDP passwords or purchased RDP credentials
  2. Phishing e-mail delivering “Voicemail-2019-Mar-07.rar” – inside: self-extracting sfx → dnsfilter.exe
  3. Post-breach lateral movement by re-using the PsExec variant embedded inside the dropper and copying itself to ADMIN$ shares

Mitigation notes:

  • EternalBlue / SMBv1 exploits are not used – the author opts for the quieter living-off-the-land approach (RDP, WMI, PsExec).
  • The installer disables Windows Defender by “C:\users\public\1.bat” which sets the registry key
    HKLM\Software\Policies\Microsoft\Windows Defender DisableAntiSpyware = 1.

Remediation & Recovery Strategies:

1. Prevention (in order of effectiveness)

  • Zero-exposed RDP: block 3389 at the perimeter firewall, or enforce RDS-Gateway + 2FA + whitelisted source IPs.
  • Enforce 14-character minimum, complex-password policy; run BloodHound / PingCastle to find reused local-admin credentials.
  • Disable “Administrator” and unused local admin accounts; create a short list of named admin accounts (helps detection).
  • Enable Windows Defender real-time, Controlled-Folder-Access, and ASR rules (recommended blocks: “Block credential stealing from LSASS”, “Block process creation from PsExec”).
  • Patch third-party software (Flash, Java, Adobe Reader) – those were the three goods used in the March-2019 phishing run.
  • Disallow .exe/.bat/.ps1 inside mail attachments via your gateway; replace attachment with a link and safe-file sandbox.
  • Routine off-line or S3-object-locked backup with 30-day versioning; excuses ransomware specifically looks for and deletes Volume-Shadow copies with “vssadmin Delete Shadows /all”.

2. Removal / Incident-clean-up (step-wise)

  1. Physically disconnect the infected workstation from the network (or disable the vNIC) → stop lateral encryption.
  2. Log on with a “clean” local account, or better, boot a KPE / WinPE USB – do not use domain-admin account while the machine is still live.
  3. Run a full AV scan using an up-to-date engine (Windows Defender, Malwarebytes, ESET – they share detections as Ransom:Win32/Excuses).
  4. Delete obvious artefacts:
  • C:\Users\Public\dnsfilter.exe (main dropper)
  • C:\Windows\Excuses\excuses.exe (encryption process)
  • C:\Windows\Temp*.bat, *.tmp, snd.exe (PsExec copy)
  • Registry run-keys that point to excuses.exe under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  1. Undo volume-label vandalism: open cmd → label X: “NewLabel”
  2. Re-enable Windows Defender or install/re-install your AV of choice.
  3. Re-image the host if the infection persisted longer than a few minutes (recommended) – repairs layered file-system corruption left behind when files are deleted and copied.

3. File Decryption & Recovery

  • There is no free universal decryptor – Excuses uses Curve25519 for the ephemeral key-exchange plus ChaCha20 stream cipher with a unique key per file; the private key never leaves the C2.
  • Victims uploaded to ID-Ransomware will be directed to pay or restore from backup; do not pay the 0.3 BTC demand – the actor’s mailbox is no longer monitored in 48h in 80% of observed cases.
  • What DOES work:
  • Restore from off-line/off-site backup (Veeam immutable-repo, Azure/AWS snapshots, tape).
  • Recover previous versions — issue “vssadmin list shadows” from WinPE; in about 15% of intrusions the malware failed to purge older shadow copies (an open handle on SYSTEM).
  • Forensic carving: because Excuses deletes the original file and writes a new one, carving tools (PhotoRec, R-Studio, UFS) sometimes find the unencrypted parent clusters still resident on the HDD/SSD until overwritten.
  • Build and keep a “ransom-canary” file list (e.g., C:_000_CANARY\Test.txt) so the backup job can be tested daily; encryption starts with alphabetically-sorted paths so the canary hits first and triggers high-privilege alerting.

4. Other Critical Information

  • The malware writes a plain-text note “Read-Me-Now-For-Link.txt” into every directory; a BTC address plus a bit.ly URL that gates an onion page – the site is frequently suspended for abuse, explaining why payment rarely leads to a key.
  • Excuses does not touch files below 30 bytes or larger than 150 MB—large SQL, PST and VMDK receive ONLY the first 10 MB cha-cha encrypted—sometimes the remainder is salvageable.
  • The ransomware is sold as “RaaS” (Ransomware-as-a-Service) in Russian-language crime forums under the slogan “без предоплаты” (“no upfront fee”), so unrelated affiliates create different phishing lures but the same binary, explaining why detection rules remain consistent.

Wider impact: hospitals and local governments that could not patch 3389 quickly were hit during the first two weeks, causing several 911-dispatch and accounting outages; HIPAA-covered entities faced breach-notification because the attacker exfiltrated a folder-list to prove “time to pay”. Treat every Excuses incident as both a ransomware and a data-theft case.

Key defensive take-away: Excuses’ success is driven by credential abuse and PsExec, NOT by a fancy exploit. Concentrate on strong passwords, MFA, and RDP isolation rather than hoping for a decryptor.