flkr

[Content by Gemini 2.5]

Ransomware Profile – “.flkr” Variant

(a.k.a. “Floker”, occasionally mis-detected as “WannaFlkr”)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file is given the .flkr suffix appended to the original extension – e.g. 2024-budget.xlsx.flkr, server-dump.sql.flkr.
  • Renaming Convention: The ransomware retains the original file name and intermediate extension, simply appending .flkr to the end (no e-mail address, random bytes, or additional ID string).

2. Detection & Outbreak Timeline

  • First Public Submission: 2023-08-14 (ID-Ransomware / MalwareHunterTeam).
  • Growth Curve: Low-volume, targeted waves during Q3-2023; larger opportunistic spike observed December-2023 after affiliate builder leaked on Russian-language forum.
  • Geographic Footprint: Heaviest infection counts reported in Latin-America, Southern-Europe and South-East Asia; English and Spanish ransom notes suggest bilingual affiliates.

3. Primary Attack Vectors

  • Phishing with ISO / IMG lures – messages themed “DHL shipping delay”, “Incoming invoice” contain a 1-2 MB disk image that contains a .BAT and the .NET payload wrapped with a shortcut (.lnk).
  • Exploitation of public-facing JBoss / Jenkins deserialization bugs (CVE-2017-12149, CVE-2019-1003000) – a Groovy or Java payload downloads and executes the Floker dropper.
  • RDP brute-force → manual deployment – attackers frequently install flkr.exe (often renamed to svchost.exe or SystemSoundServices.exe) to C:\PerfLogs\ and execute with -net spread switch to push to other hosts via ADMIN$ and scheduled tasks.
  • Living-off-the-land – uses vssadmin delete shadows /all and bcdedit /set {default} recoveryenabled No via embedded batch to cripple Windows restore points and SafeBoot.

Note: No EternalBlue / SMBv1 worming component has been observed; lateral movement relies on harvested credentials and legitimate Windows tools.

Remediation & Recovery Strategies

1. Prevention

  • Patch externally reachable services (Jenkins, JBoss, Confluence, Citrix, etc.).
  • Disable RDP from the Internet or wrap it in a VPN + enforced 2-FA.
  • Enforce local-only accounts for RDP; block admin users from interactive logon if possible.
  • E-mail filtering rules: strip ISO, IMG, VHD, OneNote and script files at gateway.
  • Application whitelisting / WDAC to block unsigned binaries in %TEMP%, %PUBLIC%, PerfLogs.
  • Maintain offline (air-gapped) backups; test restores regularly. Floker deletes Volume Shadow Copies but does not wipe or overwrite backup appliances it cannot address by UNC path.

2. Infection Cleanup (step-by-step)

  1. Physically isolate the host (pull cable / disable Wi-Fi) – Floker’s network-spread thread is active until reboot.
  2. Boot into Safe Mode with Networking or use a Windows-RE disk; terminate svchost.exe or the masqueraded SystemSoundServices.exe twice (two processes watch each another).
  3. Delete persistence artefacts:
  • Scheduled task “\Microsoft\Windows\DiskFootPrint\DiskCleanup”
  • Registry RUN key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DiskOptimizer = "C:\PerfLogs\svchost.exe"
  1. Remove the hidden folder %ProgramData%\FlokerC2\ that contains the affiliate-ID, TA public key and list of whitelisted folders/extensions (useful for forensics).
  2. Run a reputable AV/EDR scan (signature names: Ransom:Win32/Floker.A, Trojan.Win32.DelShad.flkr) to remove the binaries.
  3. Restore normal boot (bcdedit /set {default} recoveryenabled Yes) so you can enter WinRE again if necessary.

3. File Decryption & Recovery

  • Decryptable? At the time of writing there is NO free decryptor.
    Floker uses:
  • Curve25519 for key exchange,
  • AES-256-CTR for bulk file encryption,
  • Each victim gets a unique offline public key embedded in the binary – so no master key exists.
  • Recovery Options:
  1. Restore from offline backups (Cloud snapshots, LTO, USB drives disconnected during incident).
  2. Use ShadowExplorer or vssadmin list shadows AFTER removal – occasionally the malware fails to erase shadows on non-system drives.
  3. File repair/undelete tools (PhotoRec, R-Studio) to retrieve pre-encryption copies only if the disk was HDD, nearly full and NTFS re-used clusters quickly.
  4. Contact law-enforcement; the FBI and Spain’s CERT both hold seized “Floker C2” servers seized in Jan-2024 – victims who can provide the affiliate-id (bottom of ransom note) might eventually be invited to a future key-release programme.
  • Tools / Patches relevant to Floker:
  • Jenkins 2.442 LTS / 2.426.2 fixes CVE-2019-1003000 (released 2024-01-17).
  • JBoss AS 7.2.1 patch or migration to WildFly 27+ eliminates deserialization flaw.
  • Microsoft Defender engine 1.403.236.0+ and Sophos 5.3.2 both provide behaviour-based protection.

4. Other Critical Information

  • Sabotages 3rd-party backups: The binary specifically calls vendor processes (veeam.Service.exe, synology.service, cb.exe) to terminate them prior to encryption; it does NOT however delete the repository files. Turn these services back on only after forensics capture.
  • Ransom note (UTORRENT-CHANGES.TXT / HOW_TO_BACK_FILES.TXT) contains: “Don’t trust shady middle-men who offer public discounts – we are the only ones with your private key.” Research shows affiliates are, in fact, negotiating 25–45 % discounts when victims wait >10 days.
  • No wiper function observed – iff the process finishes normally the machine remains stable, which aids data-recovery efforts from free-space carving.
  • Wider Impact: Because Floker is not wormable and spread by affiliates, incident sizes are smaller than LockBit-style blasts; however its preference for older but still widely deployed Java stacks (Jenkins / JBoss) makes it a major hazard for DevOps and OT networks that cannot patch quickly.

Bottom line: Back-up offline, keep Java app-servers updated, block RDP & phishing lures, and assume decryption without payment is currently impossible. If you are already hit, save a copy of the malware binary + ransom note—those artefacts are the only hope should law-enforcement later release seized keys. Stay safe.