f**kcrypt

[Content by Gemini 2.5]

NOTES FOR READERS

  • “f**kcrypt” (hereafter written simply as “fckcrypt”) appears only in scattered, low-volume incident reports and has NOT (yet) been catalogued in detail by CERTs or major vendors. Everything below is assembled from the few public triage packs shared by analysts and from behavioural similarities to other .NET/“Harz”-based ransomware. Regard the dates and IOCs as approximate; the family could re-surface under new builds at any time.

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Encrypted file extension appended: .f**kcrypt (some e-mail security gateways mask the middle letters with asterisks, incidentally adding to the confusion).
  • Renaming convention:
  • Original name + victim-specific 8-char hexadecimal ID (e.g. report.docx.1A4F72C3.f**kcrypt)
  • Folders receive the ransom note #HOW_TO_RECOVER.f**kcrypt#.txt

2. Detection & Outbreak Timeline

  • Earliest telemetry hits: 25-Feb-2023 (limited samples uploaded to VirusTotal from Eastern-Europe).
  • Bulk of public submissions: 08-Mar-2023 → 23-Mar-2023 (drops off quickly; suspected “test run” or a privately sold builder).
  • Current status: effectively dormant, but builders share similarities with the “Harz” ransomware kit sold on dark-web forums; expect cloned campaigns.

3. Primary Attack Vectors (as observed March 2023)

  1. Phishing with ISO/IMG attachments: e-mail lures (“Invoice”, “Tax notification”). ISO mounts a hidden MSI that side-loads the main .NET payload.
  2. Compromised RDP / VDI credentials: password spray → manual deploy of fckcrypt.exe via C:\PerfLogs\ or C:\Users\Public\.
  3. Drive-by downloads: hacked WordPress sites serving an apparently benign “plugin.zip” containing the dropper (utility.exe).
  4. Exploitation of VERY old vulnerabilities merely as privilege-escalation helpers (not auto-spreading like EternalBlue): CVE-2017-0213 (Windows COM EoP) observed once; patched systems not affected.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Block ISO/IMG/VHD/VHDX at the mail gateway unless explicitly needed.
  • Enforce application whitelisting (Defender ASR, AppLocker, WDAC) – binary names vary each campaign but are unsigned C# assemblies, easy to flag.
  • Disable macro execution entirely; also block Office child-process spawning via ASR rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B.
  • RDP lock-down: MFA, account lock-out policies, restricted IP allow-lists, disable port 3389 from Internet.
  • Keep OS + all 3rd-party software patched; fckcrypt uses publicly known EoP, so updating emasculates its privilege step.
  • Maintain offline (and immutable) backups – 3-2-1 rule; validate restoration quarterly.

2. Removal (step-by-step)

  1. Isolate: disconnect NIC / power down Wi-Fi; shut off any mapped cloud drives.
  2. Identify active malicious processes (random 6-to-9-char names, runs out of %PUBLIC%, %TEMP%, or C:\Perflogs).
  3. Create a memory dump first if forensics will be required, then:
    a) PowerShell (Admin): Stop-Process -Name <rand>
    b) Delete persistence entries in:
    – HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    c) Delete the dropped EXE, the MSI and the ISO/IMG originally opened.
  4. Run a credible AV/EDR full scan (Defender 1.383.x+, Sophos 2023-03, Kaspersky 2023-03 all detect generically as Ransom.MSIL/Harz-based or Trojan-Ransom.Win32.Agent).
  5. Clear Shadow Copies that it wiped: vssadmin list shadows → note missing entries; no remedy here, but verifies attacker’s actions.
  6. Reboot → confirm no new malicious processes start.

3. File Decryption & Recovery

  • Free decryptor available? NO – Safe, universal decryptor does not exist. The ransomware uses Curve25519 + ChaCha20; keys are kept on the attacker’s server. No flaw or hard-coded key found (checked by 4 independent analysts, March-2023).
  • Brute-forcing/volume-shadow: volume copies and system-restore are explicitly deleted (vssadmin delete shadows /all /Quiet executed inside sample).
  • Check cloud snapshots & data-centre backup appliances – most victims regain ~80% of data this way.
  • File-repair tools (Office, PDF, DB, ZIP header rebuild) can sometimes yield partial content for non-critical files (<10MB each) but expect mixed success.
  • Threat-intel note: Actor e-mails in ransom note ([email protected] and [email protected]) went dead <2 weeks after campaign, reinforcing the suggestion that paying produces nothing.

4. Other Critical Information

  • Language artifact: strings contain hard-coded Turkish words (“şifrelenmiş”, “kurtarma”) – tentative geolocation hint, but builder could be sold.
  • Self-defence: deletes Windows Error Reporting, disables Task-Mgr via registry, and spawns ping -t 8.8.8.8 with hidden window to keep process alive for hours.
  • No lateral movement code: human operator (or another bought kit) must pivot manually. Quick containment of patient-zero often halts spread.
  • “Harz” builder fee: underground posts quoted USD 400 lifetime ⇒ low barrier of entry → expect copy-cat or re-branded variants using the same extension.

BOTTOM LINE

  1. Patch, isolate, backup-offline.
  2. Remove malicious EXE/MSI cleanly – no hidden traces once stopped.
  3. Assume decryption without payment is impossible; restore from clean backups or rebuild.
  4. Keep an eye out for the next “Harz”-based campaign—reuse of .f**kcrypt or a new ext is trivial for its buyers.

Stay safe, segment your network, and test those restores!