feedc

[Content by Gemini 2.5]

Technical Breakdown: FEEDC Ransomware (aka “D0n#t-J$sThr3at3nM3 v1”)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .FEEDC (upper-case, six characters)
  • Renaming Convention:
    – Original name → <original_name>.<original_ext>.id-<5-digit victim-ID>.[attacker.email].FEEDC
    – Example: QuarterlyReport.xlsx becomes QuarterlyReport.xlsx.id-48137.[[email protected]].FEEDC
    – The e-mail address in brackets is used for negotiation and changes per campaign (tutanota.com, cock.li, aol.com, protonmail.ch have all been observed).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to ID-Ransomware & VirusTotal 17-Oct-2023; cluster of SMB-brute-forced SMEs reported 24-Oct-2023. Peak activity Nov-2023 → Jan-2024. Still circulating as of May-2024 but at lower volume.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    RDP brute-force / RDP-stolen creds (most common) – port 3389 open to Internet, weak or prior-leaked passwords.
    EternalBlue (MS17-010) and EternalRomance sprayed after initial foothold to move laterally on TCP-445.
    Phishing e-mails with ISO → LNK → PowerShell → FEEDC dropper (GitHub look-alike domains).
    Malvertising “fake updates” (Firefox, Chrome, Zoom) leading to COPISTEAL-Floader-FEEDC chain.
    Software vulns:
    – Log4Shell (CVE-2021-44228) on VMware Horizon, therefore unpatched edge devices.
    – PaperCut MF/NG (CVE-2023-27350) exploited April-2023 clusters retro-fitted with FEEDC.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures:
    – Remove SMBv1; patch MS17-010, BlueKeep (CVE-2019-0708), Log4Shell, PaperCut, etc.
    – Block RDP at perimeter (force VPN-with-MFA) or restrict by IP whitelist + account lockout (3–5), NLA always on.
    – EDR with behaviour-based detection for: vssadmin delete shadows /all, bcdedit /set {default} recoveryenabled No, .FEEDC extension drops.
    – Application whitelisting (Windows Defender ASR rules: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”).
    – Network segmentation: separate OT/ICS, POS, backup VLANs.
    – 3-2-1-1 backups (3 copies, 2 media, 1 off-site, 1 air-gapped/immutable).
    – Disable Office macros by GPO; mark Internet zones “Open in Protected View”.
    – Use remote e-mail quarantine for ISO/IMG/VBA-heavy attachments.

2. Removal

Step-by-step cleanup:

  1. Physically disconnect from network / disable Wi-Fi.
  2. Collect triage data: MFT, $LogFile, Amcache, RDP event-IDs 21/4624 for forensic lead.
  3. Boot into Safe-Mode-with-Networking or WinPE; mount registry hives from C:\Windows\System32\config: delete FEEDC autostart (HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svcmcx).
  4. Delete dropped binaries:
    %ProgramData%\svcmcx.exe (parent process)
    %TEMP%\svchst.exe, sysupdate.log, readme.tmp ( ransom note template)
  5. Revoke attacker persistence: remove scheduled task \Microsoft\Windows\Maintenance\SvcRestart and service FEEDCAPI.
  6. Patch/re-image: apply cumulative Windows patch, re-enable disabled services (WinDefend, shadow-copy).
  7. Change ALL local & domain credentials (krbtgt twice) before putting back on network.
  8. Only reconnect after EDR policy shows “no malicious activity” for 24 h.

3. File Decryption & Recovery

  • Recovery Feasibility: Presently NO free decryptor. FEEDC uses Curve25519 (ECDH) + ChaCha20-Poly1305; symmetric key per file wrapped with the attacker’s private key. Offline decryption without paying the ransom is computationally infeasible.
  • Optional Recovery Paths:
    – Restore from 3-2-1 backups (offline or immutable) once infection is eradicated.
    – Shadow-copy undeletion: the malware runs vssadmin delete shadows, but vshadowmount, or built-in “Previous Versions” on Server 2019/2022 occasionally retain copies in OneDrive/SharePoint or Datto appliances—check before wiping.
    – File-carving: for very high-value files (SQL .mdf, Oracle .dbf) that were only partially overwritten, commercial carve tools (ReclaiMe, R-Studio) sometimes yield 30-60 % usable data—long shot.
    DO NOT pay unless life-safety: negotiation e-mails are intermittently black-listed and there is emerging evidence of non-delivery of working decryptor after payment.
  • Essential Tools/Patches:
    – Microsoft KB5010359 (Feb-2023) or any post-Jan-2023 cumulative update blocks BlueKeep & newer SMB bugs.
    – “EternalBlue DoublePulsar Detection & Repair Tool” (NHS-CN) for quick SMB sweep.
    – Kaspersky AVPTool or Malwarebytes 5.x (both detect FEEDC components as Trojan-Ransom.Win32.FEEDC.*).

4. Other Critical Information

  • Additional Precautions:
    – FEEDC drops ransom note HOW-TO-RECOVER-FILE.txt in every folder AND changes desktop wallpaper to bright-red “D0n#t-J$sThr3at3nM3” ASCII art.
    – It enumerates + deletes OneDrive sync metadata; client shows green check mark even though cloud copy is encrypted—always verify cloud repositories independently.
    – Identical malware body previously seen as .REDSECT, .LOCKEDS, and now .FEEDC; only config section & extension changed—update signatures to cover hash families SHA256: c6f8…1acb, 6d4a…f913.
  • Broader Impact:
    – Over 330 confirmed SME victims on leak site (Feb-2024).
    – Average demand USD 0.09 BTC (~$3,800), but spreads from 0.03 BTC (single server) to 1.2 BTC (ESXi farms).
    – Operations in healthcare disrupted twice (USA, PT) after PACS imaging servers were encrypted; HIPAA/ICO breach notifications required.
    – Authors fluent in English and appear to leverage initial-access brokers; consider credential-stuffing exposure tests post incident.

Bottom line: FEEDC is a commodity-but-capable ransomware leveraging a classic mix of un-patched internet-facing services and living-off-the-land scripts. Close the door (patch, MFA, backups) and you remove 95 % of its power; otherwise recovery without backups is virtually impossible at this time. Stay safe, patch hard, and test restores regularly.