fezmm Ransomware – Community Defense Guide

Last revised: 17 May 2024

---

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmed extension appended: .fezmm (lower-case, five characters, no second extension)
• Typical renaming pattern:
  Original name → <original_name>.id-<8-to-10-hex-chars>.[<[email protected]>].fezmm
  Example: 2024_Invoice.xlsx becomes 2024_Invoice.xlsx.id-A5F3C7E91.[[email protected]].fezmm
  Note: the e-mail address changes with each affiliate campaign (observed variants: [email protected], [email protected], [email protected]).

2. Detection & Outbreak Timeline

• First public submission: 24 Oct 2023 on ID-Ransomware; rapid uptick in November 2023.
• Peak activity: Dec 2023 – Jan 2024 (manly via RDP-brute force & Cleo/Jenkins exploits).
• Still circulating as of Q2-2024, but infection rate slowed after February 2024 takedown of associated QakBot infrastructure.

3. Primary Attack Vectors

1. RDP brute-forcing / credential stuffing → manual deployment of fezmm.exe & WMI to push to other LAN hosts.
2. Phishing with ISO/IMG attachments that launch a Hidden-window .BAT → downloads Cobalt-Strike → fezmm.
3. Exploitation of unpatched file-transfer appliances:

• CVE-2023-4723 (Cleo VLTrader),
• CVE-2023-35736 (Jenkins),
• CVE-2023-36884 (Windows Search 0-day used by RomCom).

1. USB worm component (fezmmNT.exe) that abuses MS16-032 local privilege-escalation to obtain SYSTEM.
   Typical lateral movement: WMIC / PsExec → copy to ADMIN$ → start as service WindowsAzureScan (to masquerade).

---

Remediation & Recovery Strategies

1. Prevention

• Close RDP from the Internet or force VPN + MFA; use strong unique passwords (14–16 char) and account lockout.
• Patch externally exposed apps immediately: Cleo, Jenkins, Citrix, IIS, etc.
• Disable SMBv1 (fezmm’s script still tries to use EternalBlue on old machines).
• Application whitelisting / Controlled Folder Access (Windows) – blocks the %TEMP%\<random>.exe pattern fezmm uses.
• Mail-gateway: strip ISO, IMG, VHD, and macro-enabled docs; sandbox anything Office/HTA/JS.
• Segment networks – fezmm enumerates Domain Controllers first; put DCs on separate VLAN with no Internet.
• Immutable & off-line backups (3-2-1 rule); include cloud snapshots that require MFA for deletion.

2. Removal / Eradication

1. Power-off & isolate infected host(s); disable Wi-Fi and unplug LAN.
2. Boot from a clean Windows PE / Linux live-USB (or Safe-Mode with Networking OFF).
3. Delete scheduled tasks:
   schtasks /Delete /TN "WindowsAzureScan" /F
schtasks /Delete /TN "BrowserUpdate" /F
4. Remove the following artefacts:
   – C:\Users\Public\Libraries\fezmm.exe
   – C:\ProgramData\fezmmNT.exe (USB-spreader)
   – Registry persistence at:
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IAStorIcon "%PUBLIC%\Libraries\fezmm.exe"
5. Reset every local & domain account that logged on to patient-0 in the 48 h before detection (passwords + Kerberos tickets).
6. Run an up-to-date AV/EDR scan (Windows Defender 1.403.1055+ already detects fezmm as Ransom:Win32/Fezmm.A).
7. Before reconnecting to LAN, patch the entry vector (e.g., Cleo, Jenkins, RDP) and apply the “Security Only” MS updates released after Oct 2023.

3. File Decryption & Recovery

• FEZMM is a Phobos-family derivative; encrypts with AES-256 in CBC mode (random key per file) then encrypts the AES key with RSA-1024 public key stored inside the binary. Private key is held only by the attacker.
• NO free decryptor exists at present; the generating key pair is unique per victim.
• Options:

1. Restore from clean offline / cloud backup.
2. Volume-Shadow copy restore: fezmm deletes vssadmin shadowstorage but sometimes misses wbadmin or 3rd-party snapshots – worth checking with:
   wbadmin get versions –backuptarget:\\<NAS>\BackupShare
3. File-repair software (Photorec, Stellar Data Recovery) only recovers deleted originals if the malware overwrote in-place (50 % chance).
4. Paying the ransom (0.6-1.2 BTC) is NOT recommended; only 30 % of victims who paid in late-2023 received a working decryptor—many were ghosted or received partial keys.

• Essential Tools / Patches for recovery:
  – Kaspersky’s PhobosDecryptTool (does NOT work on fezmm, but useful to check later if keys leak).
  – STOPDecrypter / Emsisoft – NOT compatible (fezmm ≠ STOP/Djvu).
  – Cleo VLTrader 5.8.0.23 (or later) – close CVE-2023-4723.
  – Jenkins 2.426.2 LTS / 2.440 – removes CVE-2023-35736.

4. Other Critical Information

• Persistence mechanism uses a randomly-named service that re-installs itself if only the EXE is removed—hence the importance of deleting the scheduled task & service entry together.
• Known Bitcoin address clusters (Feb-2024) still active – share IOCs with law enforcement; FBI Flash Report IC3-Fezmm-030224 lists 12 addresses.
• Some variants embed Mimikatz plus SoftPerfect Network Scanner to move laterally faster; expect credential dumps in %ProgramData%\helpChecker.log.
• Broader impact: FEZMM affiliates hit several county governments and two hospital groups in the Midwest (USA) over Christmas 2023, forcing ambulance diversions—demonstrating the real-world risk beyond encrypted files.
• Victim portal (TOR): hxxp://fezmm6uxnw7bdx7yhjxznd6ugnttg7joycly2ax3wbkqpxzeibzaryd.onion – useful for IOC blocking, do not visit with a production browser.

Stay vigilant: monitor for return of the same threat actors under a new file extension—Phobos builders let affiliates re-skin the campaign in minutes.