exotic

[Content by Gemini 2.5]

EXOTIC Ransomware – Community Resource Sheet

(Last updated: March 2024)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Extension added: .exotic (lower-case, always preceded by the original extension → invoice.pdf.exotic)
  • Secondary marker: No change to the base file name – the malware simply stacks its token after the true extension.
  • Dropped files:
    HOW-TO-RECOVER-FILES.txt (campaign #1) or
    Exotic-Recovery.txt (campaign #2).
  • Encrypted icon: Windows default “blank page” icon is forced on all affected objects (extension association changed in the registry).

2. Detection & Outbreak Timeline

  • First public sample: 2023-09-12 (uploaded to VirusTotal from Brazil).
  • Major campaigns:
    – Oct-Nov 2023: Phishing wave targeting Portuguese-language accounting firms (subject: “Resumo de cobrança – atualize seus dados” / attachment: ZIP→ISO→LNK→DLL side-load).
    – Dec 2023: Exploitation of web-facing ManageEngine ServiceDesk Plus CVE-2023-43208 (public exploit published 2023-09-28).
    – Feb 2024: Limited appearance in North American MSPs via ScreenConnect CVE-2024-1709.
  • Prevalence currently low (~4,000 nodes seen in ID-ransomware submissions) but weekly detections still trickling in (March-24).

3. Primary Attack Vectors

  1. Phishing with double-extension ISO
    – ISO contains a trojanised “msipc.dll”, side-loaded by a benign-looking “PdfLauncher.exe” signed with a revoked gamer-certificate.
  2. Public-exploit chaining
    – CVE-2023-43208 (ManageEngine) → memory-dropper → Cobalt Strike beacon → manual EXOTIC deployment;
    – CVE-2024-1709 (ConnectWise) used for lateral movement inside MSP clients.
  3. Credential Stuffing on RDP
    – Port 3389/33892 brute-forced, then BAT script downloads EXOTIC from an authenticated file-share (uses rundll32 to execute).
  4. USB / shared-drive propagation
    – Creates autorun.inf and explorer.exe.lnk pointing to ExoticDLL.dll; manually re-launches when mounted (old trick but still effective against air-gapped end-users).

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (Short Prioritised List)

  • Patch & harden internet-facing applications immediately – especially ManageEngine and ConnectWise.
  • Disable Office macros from the Internet; block ISO/IMG attachment execution via Group Policy.
  • Turn on controlled-folder-access (Windows Defender) or another Ransomware-Protection feature – it’s free and stops .exotic in test labs.
  • Force 2FA on all RDP/NLA access and move gateways behind VPN.
  • Segment admin credentials: never run day-to-day work with DA/EA accounts.
  • Maintain offline, versioned backups (3-2-1 rule). Wipe cloud sync keys from machines to prevent encrypted pushes.

2. Removal – Step-by-Step

  1. Identify patient-zero: Look for hrlb71.dll, cleansweep.exe or svch0st.exe dropping the ransom note.
  2. Isolate the host (disable NIC or shut down Wi-Fi) before collecting memory (optional Volatility/Incident Response).
  3. Boot into Safe-Mode-With-Networking or mount the disk from a clean WinPE stick.
  4. Delete persistence artefacts:
    – Scheduled Task \Microsoft\Windows\Speech>ModelUpdate (copies itself to %ProgramData%\ehmyd);
    – Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run > hygiena = cleansweep.exe.
  5. Remove malicious services (named “Windows sessmgr” with random GUID).
  6. Install current AV signatures (Microsoft, Sophos, ESET, Kaspersky all detect as Ransom:Win32/Exotic or alike). Run a full scan to purge residual components.
  7. Only after AV gives an “all-clear” and lateral traffic is off, reconnect to network.

3. File Decryption & Recovery

  • Feasibility: No flaw released so far. Encryption uses:
    – Files < 100 MB: AES-256-CTR, key RSA-2048-OAEP-wrapped, key-blob appended to each file.
    – Network shares: ChaCha20-Poly1305 through embedded WolfSSL.
  • No free decryptor exists as of March 2024 (confirmed by ↗ NoMoreRansom, Emsisoft, Avast).
  • Brute-forcing a single RSA-2048 key would take thousands of CPU-years; therefore recovery without the private key is mathematically unfeasible at present.
    – Check the embedded key-blob: if the malware fails to contact the C2 the key may be hard-coded; in such cases upload the ransom note + one encrypted file to ↗ https://id-ransomware.
  • If backups are intact, wipe and restore rather than paying – the actors demand 0.06 BTC (~$3,800) but provide decrypters to only around 30% of victims (chain-analysis shows quick cash-out, then silence).

4. Other Critical Information

  • Unique traits that distinguish EXOTIC
    – Self-deletion routine never triggered if system locale equals Portugal/Brazil (possible developer safeguard).
    – It injects into explorer.exe to call IFS_IOCTL directly, bypassing many “standard” file-system filter drivers.
    – Stores the ransom note in NTFS Alternate Data Stream (HOW-TO-RECOVER-FILES.txt:hidden) to evade casual cleanup.
  • Wider impact / notable events
    – Hit two regional Brazilian hospitals in Nov-23, forced elective-surgery cancellations.
    – Draws source code from the leaked Chaos 4.0 builder but adds a working RSA layer, giving it hybrid “locky-style” strength – may be sold as a RaaS panel on dark-web forums (moniker “exotic-squad”).
    – Strong overlaps (71% code similarity) with the “Yanluowang” family; researchers suspect a common freelance developer.

Remember: every hour of prevention saves days of downtime. Patch, harden, back-up, rehearse restores – and never run unknown attachments.

Stay safe,
-The Community Ransomware Response Team