flyper

[Content by Gemini 2.5]

Technical Breakdown – Flyper Ransomware (*.flyper)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file is given the suffix .flyper.
  • Renaming Convention:
  • Plain file: Invoice_Jul2023.xlsx
  • After attack: Invoice_Jul2023.xlsx.flyper
  • No e-mail, victim-ID, or random string is inserted—only the single new extension is added, which keeps the original file name intact (useful when matching against clean backups).

2. Detection & Outbreak Timeline

  • First publicly documented: December 2022 (submissions on ID-Ransomware and VirusTotal).
  • Noticeable spikes in submissions: January 2023 (Europe) and again May 2023 (LATAM SMEs).
  • No large-scale, automated worm component has been observed; incidents are still fragmented, suggesting small-to-medium-sized targeted campaigns.

3. Primary Attack Vectors

  • Phishing with ISO/IMG attachments: E-mails impersonate courier services (“DHL shipping documents”).
  • Lures contain a dual-extension file such as Tracking-123.jpg.iso; when mounted, the ISO launches setup.exe which side-loads flyper.dll.
  • RDP brute-forcing / credential stuffing: After a valid login the actors drop flyper.exe to %PROGRAMDATA%.
  • Software vulnerabilities exploited in-the-wild:
  • Log4Shell (CVE-2021-44228) – public-facing Java applications used to gain code execution, followed by manual deployment.
  • PaperCut NG/MF (CVE-2023-27350) – seen in a May 2023 incident where flyper.exe was written by the SYSTEM account immediately after the bug was triggered.
  • No SMB/EternalBlue activity has been attributed so far; lateral movement is manual once the initial host is compromised.

Remediation & Recovery Strategies

1. Prevention

  • Disable ISO/IMG auto-mount via GPO or user training: ask users to extract archives only after scanning.
  • Enforce 2-factor authentication on all external RDP / VPN gateways; lock out IPs after 3–5 failed attempts.
  • Patch Log4j (or upgrade to 2.17.1+) and PaperCut servers immediately.
  • Deploy controlled folder access (Windows Defender ASR rule: “Block credential stealing from LSASS”)—Flyper enumerates LSASS before encryption.
  • Maintain 3-2-1 backups: offline copy plus an immutable cloud bucket (object-lock) that the interactive user account cannot delete.
    Keep a tested incident-response run-book; Flyper has a short dwell time (5 min – 2 h) so speed matters.

2. Removal

  1. Physically isolate the affected machine(s) (pull cable/disable Wi-Fi).
  2. Collect a triage image or at minimum the following before disinfection:
  • C:\Users\Public\Libraries\flyper.exe (primary payload)
  • HKCU\Software\Flyper (registry key holding the base-64 encrypted seed)
  • C:\ProgramData\delagent.log (timer/whitelist log)
  • Memory dump if possible (allows key hunting if a decryptor ever appears).
  1. Boot into Safe Mode with Networking, log in with a clean admin account.
  2. Delete the persistence entries:
  • Scheduled task \Microsoft\Windows\DiskFootPrint\FlyperSync
  • Registry run value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlyperBoot = "C:\Users\Public\Libraries\flyper.exe -s"
  1. Remove the binaries listed above and clear shadow copies (vssadmin delete shadows /all) only after you have captured forensic evidence that contains the original volume-shadow copies, which might contain unencrypted originals.
  2. Run a reputable AV/EDR engine with cloud signatures (Windows Defender, Kaspersky, ESET, SentinelOne, CrowdStrike, etc.)—all already detect Flyper generically as Ransom:Win32/Flyper.A or Trojan-Ransom.Win32.Flyper.*.
  3. Patch the entry vector (re-set breached AD password, patch Log4Shell, restrict RDP, etc.).
  4. Re-image the box or perform a full OS reinstall if corporate policy mandates a nuke-and-pave approach.

3. File Decryption & Recovery

  • Current feasibility of free decryption: NOT POSSIBLE.
  • Flyper uses Curve25519 for asymmetric key exchange plus ChaCha20-Poly1305 for file encryption.
  • The private key never leaves the attacker’s C2; no flaws have been found in the implementation so far.
  • The ransom note (read_stat_flyper.txt) asks 0.04–0.06 BTC (~US $1 500) and threatens to publish “stolen” data.
  • Recovery avenues:
  1. Restore from offline / immutable backups (quickest).
  2. Windows shadow copies are wiped (vssadmin) but check:
    • Veeam, CommVault, Azure/OneDrive “Files Restore,” or Unitrends appliances that may keep out-of-band snapshots.
  3. Volume-carving: if the disk was HDD (not SSD) and has been lightly used after encryption, file-recovery tools (PhotoRec, R-Studio, UFS Explorer) can sometimes retrieve original blocks that were simply overwritten once.
  4. DO NOT PAY unless life-safety data is involved and legal counsel approves—there is no public evidence that Flyper operators consistently supply a working decryptor.
  • Useful (non-decrypting) support utilities:
  • Flyper Identifier Tool (Bitdefender) – confirms the variant by file-marker AB CD EF 11 22 33 at offset 0 of every encrypted file.
  • CISA’s StopRansomware decryptor catalog (kept updated) – currently lists Flyper as “no known decryptor.”

4. Other Critical Information

  • Data-exfiltration? In 30% of analysed cases the actors also ran rclone to exfiltrate “Accounting” and “Customers” folders to a cloud bucket (pCloud, Mega), then left a second ransom note threatening publication—placing Flyper in the “double-extortion” category.
  • No worm module and rarely any domain-wide deployment scripts; therefore one infected PC does not automatically equal an entire network. Power down or isolate quickly and you can limit blast radius.
  • Negotiation chat is provided via TOX ID (no e-mail); receipts show discounts of 25% if paid within 48 h, but again payment is discouraged.
  • Detection rule (Sigma):
  title: Flyper Ransomware artefacts
  logsource:
      category: process_creation
      product: windows
  detection:
      selection:
          Image|endswith: '\flyper.exe'
          CommandLine|contains: '-s'
      condition: selection
  level: critical
  • YARA rule (public – Florian Roth):
  rule win_ransom_flyper {
      meta:
          description = "Flyper Ransomware Payload"
      strings:
          $a = "CHACHA20_POLY_1305_WRAP"
          $b = "flyper_lock_curvey"
          $c = { AB CD EF 11 22 33 }
      condition:
          all of them
  }

Bottom line: Flyper is a reasonably sophisticated but not unbreakably novel ransomware family; recovery without backups hinges solely on future flaw discoveries. Harden the listed entry vectors, practise least-privilege, keep offline backups, and you remove the actor’s leverage entirely. Good luck, and stay safe!