Ransomware Intelligence Report

Variant tracked by extension: .for

Technical Breakdown

Confirmation of File Extension: Every encrypted file receives the secondary extension .for (e.g., Project.xlsx → Project.xlsx.for).
Renaming Convention: The original file-name and internal structure are preserved; only the extra suffix is appended. No email address, random ID, or base-name alteration is performed—behaviour consistent with “Dharma/CrySiS” family derivatives.

First observed in the wild: Mid-November 2022 (earliest sandbox uploads 18 Nov 2022).
Notable spikes: January 2023 (leveraging Log4Shell in VMware Horizon) and May-June 2023 (paired with Raspberry Robin worm).

Open RDP (TCP 3389) + brute-forced or previously-stolen credentials – still the #1 entry point (70 % of incident-response engagements).
Phishing attachments – ISO → LNK → BAT → for.exe, or Word docs with malicious external template fetching the payload.
Software vulnerabilities exploited post-breach to escalate & propagate:
– Log4Shell (CVE-2021-44228, 45046)
– SonicWall GMS/Analyzer (CVE-2021-20034)
– ProxyShell (CVE-2021-34473/34523/31207)
– PaperCut MF/NG (CVE-2023-27350)
Living-off-the-land lateral movement: WMI / PsExec / SMBExec once a domain user token is captured (no EternalBlue necessary, but SMBv1 is still used for copy when available).
Dropped by second-stage loaders: Raspberry Robin, MSX/Final1, and IcedID.

Kill the initial vectors
– Remove RDP from the Internet or wrap with MFA/VPN; enforce NLA & “High” encryption level.
– Patch everything listed in §3 immediately.
– Disable macro execution from the Internet and mark-of-the-web bypasses (FSLogix, ISO, IMG).
Harden credentials
– Force 14-16+ char complex passwords, block reuse, enable LAPS for local admin.
– Protect privileged accounts with ESAE / red-forest (tiering).
Application controls
– Turn on Windows Defender ASR rules: “Block credential stealing”, “Block process creations from Office”, “Block executable files running unless they meet a prevalence, age or trusted list criteria”.
Logging & detection
– Enable PowerShell, WMI, Sysmon, RDP, and SAM-object auditing; forward to a SIEM/on-prem collector that the malware cannot reach.
– Create Canary filesystem shares and alert on mass rename *.for.

Disconnect the host from network (Wi-Fi & Ethernet); do NOT power-off until memory dump is saved—decryption keys may linger.
Collect volatile artefacts: for.exe, *.bat, *.ps1, HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Sysmon/EVTX, RAM dump via Kroll/Redline.
Identify persistence:
– Registry run-key name normally “Outlook” or “MS-Update” pointing to %AppData%\for.exe.
– Scheduled task: \Microsoft\Windows\Maintenance\ForUpdate.
Quarantine the executable (hash will vary; submit to VirusTotal) and delete the created service / task.
Patch the exploitation entry point (Horizon, PaperCut, etc.) before returning the host online.
Run a reputable EDR full scan in Safe-Mode (Defender, Sophos, CrowdStrike, SentinelOne).
Password-reset & token-reissue for every account present on the compromised machine.
Re-image if budget/SLA allows—fastest way to guarantee back-door removal.

Current feasibility of free decryption: LIMITED.
– .for is a Dharma/CrySiS derivative which re-uses AES-256 in CBC mode with a randomly generated per-file key, wrapped by attacker-controlled RSA-1024. The private RSA key is not embedded; therefore, generic decryptors do not exist unless the master private key is published or law-enforcement seizes it.
Historical exceptions:
– CISA’s “Dharma Decryptor” (2021-07) worked only for the 2017 master keys—it does NOT unlock *.for campaigns after 2022.
– Victims can still check the repository maintained by CERT-PL (https://www.decryptor.pl/) for future leaks; if a working key appears, a universal decryptor will be posted there.
What you CAN try today if no backup exists:
– Shadow-copy (vssadmin list shadows) → rarely deleted in early variants; use ShadowExplorer.
– Windows “Previous Versions” tab on file-properties.
– File-recovery carving: Photorec / R-Studio → good for large media, poor for Office docs (fragmented post-encryption).
Paying the ransom: Not recommended—no guarantee, may invite re-extortion, and funds criminal development. If business-critical, engage a reputable negotiation firm and perform full KYC on the threat actor wallet to assess OFAC sanctions risk.

Unique characteristics:
– Drops a plain-text note README_FOR.txt in every folder and on the desktop.
– Email contacts change every campaign:
- [email protected], [email protected], [email protected].
  – The note threatens to publish data, but no dedicated leak site has been observed—bluff in most cases.
  – Self-kills if the keyboard layout is 0x419 (Russian) or 0x422 (Ukrainian); still implements a hard-coded whitelist of IPs belonging to former CIS banks, signalling operator origin.
Broader impact:
– Healthcare entities in CEE, mid-tier manufacturing, and county-level government in the US have been hit, with average demand US $18 k.
– Because .for uses a renamed open-source commodity locker, cloned variants are appearing (*.ETH, *.XIAMEN, *.FARGO)—defences built for .for protect against the whole cluster.

Log4j v2.17.1+ (or 2.3.2 / 2.12.4 for legacy)
Microsoft Exchange CU Nov-2021 (covers ProxyShell)
PaperCut MF/NG 20.1.5, 21.2.10, 22.0.4 (or latest)
SonicWall GMS/Analyzer 9.3.1 SP1 Hotfix 2
Kaspersky RakhniDecryptor (updated frequently) – does NOT yet cover .for but worth re-checking.
CISA “StopRansomware” guide & NIST IR-series playbooks.
Microsoft Defender 1.387.318+ (detects Dharma:Crysis!rfn) – ensure cloud-delivered protection is ON.

Stay vigilant, patch fast, follow 3-2-1 backup gospel, and never expose RDP to the open Internet.

If you become a victim, preserve evidence, involve law-enforcement (FBI IC3 / national CERT), and only then attempt recovery or decryption.