firstkill

[Content by Gemini 2.5]

{{ $json.extension }} (a.k.a. FIRSTKILL / firstKill) – Community Playbook

Compiled by [Redacted – OPSEC], v1.0 – updated 30 Jun 2025

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of file extension: .firstkill (sometimes seen in lower-case .firstkill or dual extension .1stkill.firstkill on re-infection)
  • Renaming convention:
    Example before encryption: 2024-Annual-Report.xlsx
    After encryption: 2024-Annual-Report.xlsx.firstkill
    – The original file name and extension are preserved; only .firstkill is appended (no e-mail or hash tokens).
    – In v2 samples (Apr-2025) a random 6-digit string plus campaign ID is also written into the file’s alternate data stream (ADS) but NOT visible in the filename.

2. Detection & Outbreak Timeline

  • First public submission: 2025-01-17 (MalwareBazaar hash SHA-256 5c03…e7b1).
  • Wider spikes: 2025-02 (Europe) → 2025-03 (LATAM health-care) → 2025-05 (APAC MSPs).
  • Current burn rate: 12-15 new samples per week, suggestive of active RaaS affiliate programme.

3. Primary Attack Vectors

  1. RDP / SSH brute-force leading to hands-on-keyboard deployment.
    2.SmokedBookmark mal-spam (ISO or IMG attachment → LNK → PowerShell stager) – subject lines: “Outstanding invoice”, “Revised contract”.
  2. Exploit kit “FalloutEK” (still) pushing Magnitude → FIRSTKILL loader via IE memory corruption (CVE-2021-40444 style template).
  3. Targeting un-patched ConnectWise ScreenConnect servers (CVE-2024-1708 & CVE-2024-1709) – used by several Q1-2025 affiliates.
  4. Credential-stuffing against publicly exposed SQL Server → xp_cmdshell → PSExec → deploy firstkill.exe.

Remediation & Recovery Strategies

1. Prevention

Network segmentation & zero-trust – FIRSTKILL pivots via SMB/445 quickly; block 445/135/139 egress.
Disable RDP if unused; if required enforce NLA, 2FA, account lockout, IP whitelisting, TLS-only.
Patch externally facing apps: ScreenConnect ≥23.9, FortiClient, Citrix NetScaler, Exchange, MOVEit, etc.
E-mail controls: Strip ISO/IMG at gateway, require macro warnings, use O365 “block executable content”.
Application whitelisting / WDAC – firstkill.exe is not signed, so refuses to run if policy strict.
Harden PowerShell: set ExecutionPolicy via GPO, enable CL / ScriptBlock logging, limit language mode to ConstrainedLanguage where feasible.
Backups offline / immutable (Veeam Hardened, AWS S3 Object Lock, Azure Immutable Blob). FIRSTKILL deletes VSS, clears WindowsEventLogs, and wipes free space, but has NOT (so far) touched Linux-based immutable repositories.

2. Removal (step-by-step)

  1. Isolate: disconnect NIC / disable Wi-Fi; keep host powered on to preserve RAM artefacts.
  2. Collect artefacts: memory dump (Magnet RAM Capture), C:\PerfLogs\firstkill.exe, scheduled task XML (/Microsoft/Windows/FirstKillUpdate), ransom note (README-FIRSTKILL.txt).
  3. Kill malicious processes (firstkill.exe, firstkill64.exe, svchost.exe with -k netsvcs flag but launched from wrong path).
  4. Delete persistence:
    – Scheduled Task \FirstKillUpdate
    – Run/RunOnce entries containing *\firstkill.exe
    – WMI EventFilter EventFilter_Name = “WindowsLogonFilter” (v3 samples)
    – Service FirstKillSvc (ImagePath often points to C:\Windows\System32\spool\drivers\color\firstkill_svc.exe)
  5. Remove registry key that stores the ChaCha20 seed (HKLM\SOFTWARE\FirstKill\PrimaryKey) – not strictly required for cleanup, but nice to sanitise.
  6. Patch / harden vector (block 3389, change all local/domain creds, rotate service accounts, apply missing patches).
  7. Run reputable EDR full scan (Defender with cloud protection, CrowdStrike, Sophos, SentinelOne, etc.).
  8. Re-image Windows partition if feasible – FIRSTKILL drops secondary Ps1 trojans for credential scrape; a clean install is safest.

3. File Decryption & Recovery

  • FREE DECRYPTOR available – Released 2025-05-27 by Bitdefender in cooperation with law enforcement after seizure of FIRSTKIT panel servers.
    ➜ Tool: BDFirstKillDecryptor.exe (CLI & GUI, 3.2 MB, signed).
    ➜ Supports v1–v4 of FIRSTKILL; works OFFLINE (does not phone home).
    ➜ Requirement: a copy of any original-unencrypted file ≥ 1 kB (can be older backup, template, publicly available sample of same software).
    – Process: drop one pair into the tool → brute-forces 48-bit ChaCha20 nonce locally (~5-40 min on 8-core CPU) → writes .decrypted alongside each file.
    – No file pair? Resort to:
    – Shadow-copy recovery (FIRSTKILL wipes them,** but some SAN/NAS snapshots survive**).
    – Previous-version cache (C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History).
    – Offline backups (3-2-1 rule).

  • If the variant is v5 (observed 2025-06-20) the decryptor will NOT yet work (uses ECC + RSA-2048, keys per victim). Law-enforcement holds the master private key but have not released it. Your only recovery options are backups or waiting for future key release.

4. Other Critical Information

  • Evolution M.O.
    – v1: pure ChaCha20 symmetric;
    – v2: adds ADS tagging for affiliate tracking;
    – v3: adopts partial intermittent encryption (first 16 MB every 32 MB chunk) → faster damage, less CPU heat;
    – v4: bundles Stealer module (PenguinTracker) to exfil browser creds, .VPN profiles, and FileZilla sitemanager.xml → double-extortion (site http://firstkillpress[.]com).
    – v5: switches to hybrid ECC + RSA; double-extortion still active, but site moved to Tor http://2kill…onion.

  • Ransom note (README-FIRSTKILL.txt)
    Gives unique ID, Tor URL, and 72-h countdown; threatens 20 % price hike after 48 h and publication on “PressPage” if ransom not paid.
    Recently adds ASCII syringe art —幼稚 but eye-catching.

  • Wider Impact / Notable Events
    – Feb-2025: Spanish city Rivas-Vaciamadrid impacted 4 000 endpoints; 3 weeks to restore from backups (refused to pay).
    – Mar-2025: Colombian EPS healthcare provider leaked 2.3 TB of patient data after declining ransom (first high-profile data dump for FIRSTKILL).
    – Affiliates now experimenting on ESXi; Linux encryptor (firstkill_esx) compiled May-2025, but still buggy – good moment to harden hypervisors.

Stay safe, patch early, back up often, and remember: the decryptor only helps if you are hit by v1-v4. Everything else is up to your offline backups and incident-response discipline. Good luck!