ezz

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .ezz (added to the original filename, e.g. Invoice.xlsx → Invoice.xlsx.ezz)
  • Renaming Convention: Keeps the original name and first extension, then appends .ezz. No e-mail address, ransom-code, or additional marker is inserted between the original name and the new extension.

2. Detection & Outbreak Timeline

  • Malware Hunter Team first spotted .ezz samples on 4 April 2020; measurable spikes continued through Q2–Q4 2020 and intermittent detections throughout 2021.
  • The template triage mailing lists (Any.Run, VirusTotal) show a small resurgence every 6–8 weeks, indicating it is still part of commodity e-crime spam tools.

3. Primary Attack Vectors

  • Exploit-kit payload: RIG EK (Flash / IE) and Fallout EK were seen dropping .ezz in April–June 2020.
  • Phishing e-mail – password-protected ZIP or ISO claiming to be “invoice / shipping notice”. Inside → malicious Office doc with VBA that kicks off PowerShell/HTA staging.
  • Weak RDP or stolen credentials – brute-forced RDP sessions, lateral movement, and PsExec deployment of the PE file (server.exe, update.exe, etc.).
  • No worm module – unlike WannaCry it does not leverage EternalBlue or SMBv1 by itself, but post-explo scripts often manually patch-in Cobalt-Strike or other C2, then push the ransomware exe.

Remediation & Recovery Strategies

1. Prevention

  1. Email perimeter: Strip macro-enabled Office/DOCM attachments unless sender is on allow-list; block ISO from external sources at gateway.
  2. Disable Office macros programmatically via GPO, and vis-a-vis SRP
  3. Block outbound 445/135 or use Windows Firewall to deny intra-LAN SMB so lateral exec tools / PsExec cannot enumerate shares before encryption.
  4. Keep every OS, browser, Flash, and Office instance fully patched; many RIG/Fallout infections start with a public exploit that is already patched.
  5. Segment user LAN from servers; 2-factor authentication on RDP.
  6. Deploy EDR/NGAV with “behavioural ransomware” and LSASS protection; alert on volume-of-file-modify events in temp dirs.

2. Removal

  1. Isolate machine – pull network cable / disable Wi-Fi.
  2. Identify currently-logged user; collect EVTX “4688” for the EXE name/path.
  3. Boot into Safe Mode + Networking; disable suspicious services / scheduled tasks (often named “server”, “svc”, random GUID).
  4. Delete the ransomware binary plus any generated HTA/PowerShell loaders in %TEMP% or C:\Users\Public\.
  5. Run an offline AV/EDR scan with latest defs; perform a full EDR kill-chain search for Cobalt-Strike / other C2 still resident.
  6. Re-patch OS; change local + domain passwords; audit account-lockout thresholds – attackers often leave back-doors in hopes of re-ransoming later.

3. File Decryption & Recovery

  • Decryptability: At time of publication no flaws are known in the ransomware author’s ChaCha20 streaming implementation. Consequently offline decryption without the private key is currently impossible.
  • Victims: Back-ups, any local VSS (Volume Shadow Copy) left intact or paid ransom negotiation are the only options.
  • Do NOT pay a ransom unless legally compelled; criminals often do not deliver full decryptor and payment fuels the ecosystem.
  • Forensic note: Although .ezz will delete VSS copies (vssadmin delete shadows /all), several performances logs show the deletion fails on non-English Windows builds or when ran under an unprivileged account. Check for backup snapshots before giving up!

Recommended forensic / triage tools:

  • CISA RV-IS / CISA-STOP-Djvu decryptor (for .ezz this is a connector-checker, not guaranteed but swipe-file into the tool, once).
  • ShadowExplorer, Nirsoft PreviousFilesRecovery and Linux-based recoverjpeg/testdisk for carving unencrypted originals if only a portion of blocks were overwritten.

4. Other Critical Information

  • Family overlap: .ezz is considered a re-brand under the Chaos DOME/Dharma lineage – ransom note is README_TO_RESTORE_FILES.txt and contact e-mail prefixes “ezzfiles@…”, “ezz-restore@…”.
  • Both 32-bit and 64-bit variants exist; security products identify it with the following signatures:
  • Ransom:Win32/LEGUIP.CH
  • Ransom.EzzCry!g1
  • Trojan.Win32.AzorultInject
  • Ransom note contents warn against using automated recovery (“automatic tools”) and advise victim to e-mail within 72 h or price doubles – classic pressure tactic repeated across many RaaS kits.

Impact Awareness: Although .ezz never reached the household-name level like Ryuk or Conti, its ease of compile, low detection rate at release date, and availability on dark-web “Ransomware-as-a-Service” shops mean that opportunistic actors still weaponize it sporadically. Treat any outbreak (even single host) as a full-blown incident; assume lateral tools and data exfiltration occurred.

— Stay patched, backed-up, and segment your networks.