eye

[Content by Gemini 2.5]

Ransomware Profile: the “.eye” strain (a.k.a. “JSWorm 4.0 / Nemty / NPMargin” family)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .eye
  • Renaming convention:
    – Original name → <original_name>.<originalext>.[victim-ID].[attacker-email].eye
    Example: AnnualReport.xlsx becomes AnnualReport.xlsx.1E4C6B3E.[[email protected]].eye
    – The 8-byte victim-ID is random hexadecimal and is also written inside the ransom note so the actor can recognise the victim when (if) they pay.
    – Some variants omit the e-mail bracket, especially when a Tor portal is released, but the “.eye” suffix and the victim-ID remain constant.

2. Detection & Outbreak Timeline

  • First public samples seen: late-April 2022 (VT first submission 28 Apr 2022).
  • Rapid distribution spike: May-June 2022 – multiple security vendors reported spikes in South-East Asia and LATAM manufacturing & legal verticals.
  • Still circulating in 2023-24, but volume dropped after free decryptor publication (see below).

3. Primary Attack Vectors

  1. RDP brute-forcing / credential-stuffing – the most common entry in >60 % of analysed incidents.
  2. Phishing with ISO / ZIP / IMG lures that drop the initial .NET loader.
  3. Exploitation of public-facing vulnerabilities:
    – Log4j (CVE-2021-44228) and SonicWall (CVE-2021-20016) observed in late-2022 clusters.
    – Older SMBv1/EternalBlue vectors have NOT been seen with .eye; actor favours externally facing services.
  4. Supply-chain via cracked software installers (Adobe, MS Office) propagated on warez forums.
  5. Post-breach lateral movement with WMI/PsExec and domain credential dumping (Mimikatz fork inside the package).

Payload characteristics:

  • Compiled in .NET; obfuscated with “ConfuserEx 1.6”; later versions add VM detection and sleep loops to foil sandboxes.
  • Deletes VSS shadow copies (vssadmin delete shadows /all), clears event logs, stops SQL, Exchange, MySQL, Oracle services before encryption.
  • Encrypts network shares with EVERYONE/Full-Control via WNetAddConnection2.
  • ChaCha20 + RSA-2048 (public key embedded). Key is generated per file; file key encrypted with RSA; private key only on actor C2.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Patch externally facing apps (Log4j, SonicWall, VPN appliances).
  • Disable RDP from the Internet or enforce IP-whitelisting + rate-limiting + 2-FA / VPN-only.
  • Enforce 14+ character unique passwords and lockout policy (3–5 attempts).
  • Segment networks: use VLAN + firewall rules so that user LAN ↔ server LAN ↔ backup LAN are not “flat”.
  • Mandatory LAPS for local admin passwords; disable SMBv1; apply Microsoft KB2871997 and KB2928120 to restrict lateral movement.
  • Application whitelisting / WDAC (Windows Defender Application Control) – blocks unsigned .EXE/.DLL packed loaders.
  • Secure backups: 3-2-1 rule; at least one copy offline (tape or cloud with immutable object-lock). TEST RESTORES quarterly.
  • EDR in “block-unknown” mode; enable tamper protection.
  • Email gateway: strip ISO, IMG, VHD, macro docs by default; sandbox remaining attachments.
  • Harden PowerShell: enable constrained language mode + script-block logging.
  • User training: run at least quarterly phishing simulations.

2. Removal (clean-up if already infected)

  1. Disconnect from network (pull cable / disable Wi-Fi) to stop additional shares being encrypted.
  2. DO NOT reboot if you plan to attempt memory-based key recovery (rare, but possible if .eye crashed).
  3. Boot into Safe-Mode-with-Networking or pull the disk and image it (forensic copy).
  4. Run a reputable AV/EDR scan – current signatures detect as:
    Win32/Filecoder.NPMargin.E (ESET)
    Ransom:Win32/Jsworm (Microsoft)
    Trojan[Ransom]/Win32.Nempty (Kaspersky)
  5. Remove persistence:
    – Scheduled Task called “WindowsUpdateTasks” pointing to %ProgramData%\Roaming\Updates\svhost.exe
    – Run keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EyeService
  6. Clear attack tools (Mimikatz, PsExec, Rubeus) in %TEMP% and %PUBLIC%.
  7. Re-image Windows if root-kit behaviour suspected; apply all OS/app updates before reconnecting.
  8. Only reconnect to production LAN after 100 % of devices are verified clean and new local/domain passwords are deployed.

3. File Decryption & Recovery

Recovery feasibility: YES – partially.
Bitdefender released a free decryptor (v1.0.0.6, 9 Nov 2022) that works if:
– Files were encrypted by the first major .eye campaign (April-July 2022) AND
– The attacker used the hard-coded embedded RSA key (instead of generating a fresh keypair online).
– ≈15 % of the early corpus is decryptable.
– Tool: BDEyeDecryptor.exe (GUI) – available from Bitdefender Labs & NoMoreRansom.org.
– Usage: point the tool at a folder, supply a pair of an original + encrypted file; the bruteforce phase tries victim-IDs until finding the matching keystream.
If the decryptor fails (newer samples, unique per-victim keypairs), your only options are:
– Restore from OFFLINE backups;
– Roll-back via Shadow Copies (unlikely, .eye wipes them unless interrupted);
– Attempt file-recovery tools (PhotoRec/Recuva) for files that were “renamed” but not yet overwritten – success marginal;
– Paying the ransom is NOT recommended: (a) no legal guarantee, (b) supports criminal ecosystem, (c) double-extortion – data already exfiltrated.
Monitor NoMoreRansom for decryptor updates; keys sometimes leak.

4. Other Critical Information

Notable characteristics:

  • Eye is one of the last rebrandings of the JSWorm / Nempty source; operators rotated through .jsworm, .nemty, .nempty, .npmargin, .margin, .eye, then again a new skin (“.rar” in 2023).
  • Data-theft site: “EYE-LEAKS” (on Tor) lists victims who refused to pay; exfiltration via MEGASync or FileZilla to attacker-controlled VPS.
  • Ransom note filename: HOW_TO_BACK_FILESeye.txt – note contains victim-ID, two e-mails (protonmail / cock.li), and a base64-encoded blob that is the encrypted file-key.
  • Terminates >180 predefined Windows services & processes—far more than typical ransomware—to increase encryption speed.
  • Checks keyboard layout/CIS country code; if Russian, Ukrainian, Belarusian, Kazakh, it exits without encryption (typical “Russian-speakers safe-list”).
  • Some builds carry a buggy encryption routine: on very large (>4 GB) files the last 8–64 kB remain unencrypted, allowing partial recovery for multimedia containers (MP4, MKV).
  • Wider impact: manufacturing downtime of 4–15 days reported; average demand 1.5–2.5 BTC (April-2022 pricing); threat intel ties wallets to affiliate of “Fabian Sanchez” cluster active since 2019.

Bottom line

.eye is decryptable in a minority of cases—always test the free Bitdefender tool first. In all other infections, recovery hinges on offline backups and disciplined incident-response playbooks. Patch externally facing services, lock down RDP, maintain tested backups, and you will blunt both this strain and the next re-brand it spawns.