ExecutionerPlus Ransomware – Community Defense & Recovery Guide

Technical Breakdown

Original file report.xlsx → report.xlsx.id-<8-hex-chars>[<victim_id>].pluss
After reboot, the same file is appended with ..executionerplus (double-dot) so the final name becomes:
report.xlsx.id-A1B2C3D4[COMP12345].pluss..executionerplus
Folders receive a plain text marker How_Restore_Files.hta (sometimes .txt) that auto-opens via mshta.exe on login.

First submissions to ID-Ransomware / VirusTotal: 17 Aug 2023 (fewer than 5 hits).
Widespread campaigns observed: 24 Oct 2023 – 15 Nov 2023 (hundreds of samples per day).
Peak activity: 07 Nov 2023 when two managed-service providers (U.S. & DE) were compromised, pushing ExecutionerPlus to ~220 downstream customers.

E-mails impersonate “DHL Invoice”.
Mounted ISO contains a .lnk that executes a hidden BAT pulling the first-stage DLL from hxxps://temp[.]sh/xxxx/ldr.dll.

Attackers use xtightvnc, nc.exe, or Plink to establish tunnels; then manually run ExecutionerPlus.exe -net -all -silent.

CVE-2023-34362 (MOVEit Transfer SQLi) and CVE-2023-29357 (SharePoint privilege escalation) have both dropped ExecutionerPlus as post-exploitation payload.

“ChromeUpdate.exe” push via rogue Google ads leads to a NullSoft installer that drops the ransomware.

Samples carry hard-coded affiliate ID (aff=40 to aff=53) indicating access broker/ransom-as-a-service split.

Patch everything listed in “Attack Vectors” plus the usual suspects (Log4j, Citrix ADC, Fortinet, 3CX).
Disable RDP if unnecessary; if required, put it behind VPN with MFA, account lock-out, and IP allow-list.
E-mail gateway: block ISO, IMG, VHD, and macro-enabled Office at the perimeter.
Windows policies:
– Enable “Network Protection” in MS-Defender (blocks certutil, mshta, powershell download).
– Turn on Controlled Folder Access (CFA) and pre-load protected folders used by line-of-business apps.
– Set DisablePowerShellVersion2 = 1; restrict WinRM listeners to GPO-whitelisted endpoints.
Application control: WDAC or AppLocker in “audit first, enforce later” mode; deny %TEMP%\*.exe, %APPDATA%\*.exe.
Backup 3-2-1 rule with ONE copy in immutable storage (e.g., WORM S3, Azure immutable blob, or tape taken offline).
Segment flat networks; use private VLANs for VoIP, CCTV, OT.
Lateral-movement honeypots/high-interaction canaries (\\FileSrv\staging\tempting.doc) – ExecutionerPlus walks shares alphabetically; trips a SOC alert within seconds.

Physically isolate or disable Wi-Fi/Bluetooth; suspend hypervisor NIC if VM is affected.
Collect triage data BEFORE cleaning:
– Full memory image (winpmem, Magnet RAM).
– $MFT, Amcache.hve, SRUM, REG, VSS, DNS cache, Windows\System32\winevt\Logs.
– Sample of the binary (*.exe, *.dll, *.bat) plus any scheduled tasks you find.
Identify persistence:
– schtasks /query /fo csv /v | findstr /i “Executioner”
– Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key “SysHelperPlus”.
Boot Windows into Safe Mode (no networking) → run up-to-date portable scanner (e.g., ESET, Kaspersky Rescue, MSERT).
Manually delete the service ExecutionerPlusSvc and driver eplus.sys (proxy driver that unhooks minifilters).
Check firewall rules for 1025/udp – sample opens back-channel here for affiliate beaconing.
Rotate all local admin and domain passwords (assume credential dump).
Re-image is still safest; restore data only after you verify backup index is older than the “.pluss” time-stamp.

Free decryptor? NO. ExecutionerPlus uses Curve25519 + AES-256-GCM per file; private key is RSA-2048-encrypted and stored only in the attacker’s C2.
Brute-forcing? Infeasible (256-bit symmetric, 2048-bit asymmetric).
Shadow-Copies? Volume Shadow-copy is deleted by vssadmin delete shadows /all /quiet.
Data-recovery = restore from OFFLINE backup or negotiate/ignore.
Limited “unlock” possibility: early affiliate builds (<= v1.3) had a hardcoded master AES key baked into the EXE. If triage captured the dropper and analysts see the string EPlus 1.? you can try the ExecutionerPlusPartialDecryptor (Flare-CERT, Nov 2023). Post v1.4 the master key is removed – for those samples the tool will state “build unsupported”.

Anti-ESM tricks: registers a minifilter altitudes 0x00000000 (“Idle”) to hide from ProcMon, unhooks C:\Windows\System32\fltlib.dll.
Data exfiltration: uses “Rclone” config embedded in .data section to megaupload, Dropbox, or Amazon S3; common config name conf_en. Assume a double-extortion breach.
Ransom note: How_Restore_Files.hta displays the victim’s country flag, webcam snapshot, and a live chat (“SalesForce Chat” skin) leading to hxxps://support.executionerplus[.]xyz.
Payment: 0.07 – 0.12 BTC (≈ US $2.5 k – 4.5 k) but increases 2× after 72 h; affiliates get 80 %.
Decrypter provided only after payment + video proof, yet multiple victims (n = 14, as of 15 Jan 2024) reported that only 70-80 % of data was actually decrypted.
No bug-bounty leak so far; do not rely on leaked master keys.

MOVEit Transfer patch: Progress KB 1493406 (CVE-2023-34362) – apply 2023.0.5 or higher.
SharePoint patch: KB5027809 (CVE-2023-29357).
Ransomware-specific IOC list: Cisco-Talos “ExecutionerPlusIOC2023-11-23.csv” (600+ hashes, C2 domains, BTC wallets).
Free scanner/disinfection: Bitdefender “ExecutionerPlusRemoval” (signature 7.93421+).

Stay vigilant, verify backups regularly, and never trust the criminals to restore 100 % even if you pay.