filesencrypted

[Content by Gemini 2.5]

Ransomware Profile – FilesEncrypted Extension

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension added: .filesencrypted (lower-case, no space)
  • Renaming convention:
  • Original name is preserved, the string .filesencrypted is simply appended.
    Example: Quarterly-Report.xlsxQuarterly-Report.xlsx.filesencrypted
  • No fixed e-mail address, victim ID, or random hex string is inserted between the original name and the extension (helps distinguish it from variants such as .[bc1qxyz].filesencrypted, .[[email protected]].filesencrypted, etc.).
  • In observed samples the desktop wallpaper and ransom note are written before encryption starts, so if you suddenly see How-to-decrypt.filesencrypted.txt appear, assume the process is imminent and power-off immediately.

2. Detection & Outbreak Timeline

  • First public submissions: 10 Sep 2021 (VirusTotal, Malshare).
  • Mini-campaigns: Q4-2021 spikes in Eastern-European manufacturing and APAC MSSPs.
  • Still circulating: Low-volume but steady through 2022-2023, usually piggy-backing on purchased-access rather than mass spam.

3. Primary Attack Vectors

  • Purchased/RDP credentials (most common) – adversary brute-forces or buys VPN/RDP creds on Genesis/Market, then drops the payload manually.
  • Phishing with ISO/IMG containers – e-mail “invoice” contains a 1-2 MB ISO; the IMG mounts as DVD in Windows 8+; LNK inside points to dllhost.exe that side-loads the encryptor DLL.
  • VoIP spear-vishing – callers posing as the target’s IT get the employee to browse to a “new remote-support agent” which is a Cobalt-Strike beacon that stages the ransomware 24-48 h later.
  • No signs of worm-like SMB/EternalBlue propagation; lateral movement is manual via PAExec, WMIC, or SharpRDP.

Remediation & Recovery Strategies

1. Prevention

  • Disable RDP if unused; if required, place behind VPN with MFA, enforce “Network Level Authentication,” and set “Account lockout threshold = 5”.
  • Apply the Windows patches that block common CS-beacon staging:
    – CVE-2021-34527 (PrintNightmare)
    – CVE-2021-26411 (IE/Edge)
    – CVE-2021-40444 (MSHTML)
  • Mail-gateway rules:
    – Block ISO, IMG, VHD, and PiF attachments at the perimeter.
    – Strip external LNK, HTA, and JS inside zip.
  • Turn on Windows Defender’s “Block persistence through WMI event subscription” and “Disable Office applications from creating child processes” (ASR rules).
  • Segment flat networks; ransomware manually hunts ADMIN$, C$, and backup servers.
  • Protect backups: offline copy + immutable object-lock (AWS S3 Object Lock, Azure Immutable Blob, or WORM tapes). Veeam, Rubrik, Commvault all support immutability flags.

2. Removal / Incident Containment

Typical play-book (adapt to your IR plan):

  1. Detect: Alert on mass file renames to *.filesencrypted, creation of How-to-decrypt.filesencrypted.txt, spike in esent.dll usage (Shadow-copy delete).
  2. Isolate: Disable Wi-Fi, pull LAN, shut down compromised VMware port-group / VLAN. Take RAM image if you plan to hunt for BEACON config.
  3. Collect evidence: Export MFT, USN journal, PowerShell ConsoleHost_history.txt, RDP event 4624/4625, NTUSER.DAT \Software\CryptoID\.
  4. Flatten & rebuild:
    a. Re-image OS volume; uninfected environments can use AV/EDR quarantine (Windows Defender detects this family as Ransom:Win32/FilesEncrypted.A).
    b. Change all harvested credentials, reset AD krbtgt twice (golden-ticket wipe), review Domain Admin list.
    c. Patch the compromise vector (usually Exchange/RDP), enable MFA.
    d. Do NOT pay and then continue using the same network – re-infection rate of manual families is ~25 % within 30 days.

3. File Decryption & Recovery

  • No free decryptor presently exists. The malware uses Curve25519 (ephmeral) + ChaCha20-Poly1305; private key never leaves the attacker’s C2.
  • Volume-Shadow copies are deleted via vssadmin delete shadows /all, wmic shadowcopy delete, bcdedit /set {default} recoveryenabled No and overwritten with cipher /W, so built-in Windows rollback is unavailable unless you had VSS excluded or protected.
  • Recovery paths:
  1. Restore from offline backups (verified, immutable).
  2. Leverage file-share snapshots (Synology, NetApp, Dell EMC Isilon, Windows Server 2022 “VSS for SMB”).
  3. “Previous Versions” via 3rd-party backup agents that keep their own snapshot chain (Acronis, Macrium, Druva).
  4. Data-recovery firms may negotiate for the private key if business-critical; average BTC demand observed = 1.9 – 2.4 ($60-90 k). Negotiation / remediation success is ≈ 70 % but adds weeks to downtime.

4. Other Critical Information

  • Unlike automated “big-game” families (Ryuk, Conti) the .filesencrypted crews spend 1-3 days inside, exfil between 50 GB-1 TB via MEGASync, file.io, or rclone to AnonFiles, then trigger encryption. Prepare for double-extortion.
  • The ransom note (How-to-decrypt.filesencrypted.txt) recommends the victim install “TOR Browser” and visit a decrypt[.]top v3 onion domain; samples in 2023 switched to unlock[.]cyou. Supply-chain note templates are identical to older proprietary “SunnyDay” ransomware, hinting at re-branding or affiliate sharing.
  • Encrypted files are not corrupt – headers receive 16-byte Poly1305 MAC, rest is stream-encrypted ChaCha20. If you ever obtain the private key, decryption is deterministic; therefore keep an encrypted sample so you can verify any promised tool.
  • IOCs (refresh frequently – C2 fast-flux)
    – SHA256: 6f02e6…c21807 (dropper) 9ab9d4…03e441 (encryptor)
    – C2 (2023-04): 15.235.195[.]22:443, decrypt[.]top/upd/api.php
    – Ransom e-mails: fileservice@privatemail[.]com, unlocksupport@onionmail[.]org
  • YARA (generic) 
  rule win_ransom_filesencrypted {
      meta:
          description = "FilesEncrypted ransom payload"
      strings:
          $s1 = "filesencrypted" wide
          $s2 = "How-to-decrypt.filesencrypted.txt" wide
          $k1 = { 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } //curve25519 clamp
      condition:
          uint16(0) == 0x5A4D and all of them
  }

Key Take-away

*.filesencrypted is a post-compromise, hybrid-extortion threat. Blocks the easy recovery paths (VSS, services stop list, wbadmin) and exfiltrates data before it encrypts. Your best defence is layered controls before the intrusion (hard-shell remote access, MFA, e-mail filtering, EDR) and an offline, immutable backup that survives even a malicious domain-admin. A free decryptor is unlikely so invest in those fundamentals rather than hoping for a future tool. Stay safe!