force

[Content by Gemini 2.5]

Ransomware Brief – “.force” Extension

Use this guide to recognize, contain, and recover from attacks that append the .force extension to encrypted data.

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed suffix: .force (lower-case) is concatenated to the original filename.
  • Renaming convention example:
    Quarterly-Report.xlsxQuarterly-Report.xlsx.force
  • No e-mail or victim-ID string is added (unlike variants such as Dharma/CrySiS), so the extension is the only visible marker.

2. Detection & Outbreak Timeline

  • First public submissions: late January-2017 (ID-Ransomware, MalwareHunterTeam tweets).
  • Peak activity: February-to-May 2017, often bundled with Gen:Trojan.Heur.FU droppers and RIG / Sundown exploit kits.
  • Still circulating via exposed RDP and cracked software bundles, albeit at a lower volume.

3. Primary Attack Vectors

  • RDP brute-force & credential stuffing – most common entry today.
  • Exploit kits (RIG, Sundown) targeting:
  • IE/Flash CVE-2015-8651, CVE-2016-4117
  • Silverlight CVE-2016-0034
  • Malicious e-mail attachments (Office macros or JS inside .7z).
  • Bundles on warez/torrent sites masquerading as game cracks or MS Office activators.
  • No SMB/EternalBlue component has been observed for .force.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Disable RDP if unused; if required, enforce:
  • Network Level Authentication (NLA)
  • Account lock-out after 3–5 failed logins
  • IP-whitelist or VPN-only access
  • Apply latest OS & browser patches – especially the CVEs listed above.
  • Disable Office macros via GPO; block executable content from %TEMP%.
  • Maintain offline (air-gapped) backups with versioning and periodic restore drills.
  • Deploy EDR/NGAV with behavioural detection for *.force drops, Heur.FU signatures, and entropy-based file-change monitoring.

2. Removal (Step-by-Step)

  1. Physically disconnect the infected machine(s) from LAN/Wi-Fi.
  2. Boot into Safe Mode with Networking or use a clean WinPE USB.
  3. Identify & kill the parent process (commonly psexesvc.exe, javaupd.exe, or <random-name>.exe running from %APPDATA% or %TEMP%).
  4. Delete persistence artefacts:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks named “chkdsk” or “syshelper” that launch the same .exe.
  1. Delete the dropped binaries (check C:\ProgramData\ and %USERPROFILE%\AppData\Local\Temp\).
  2. Clear shadow copies the ransomware already wiped: vssadmin list shadows (check, don’t re-delete).
  3. Update engine & signatures, then run a full scan with a reputable AV/EDR to confirm cleanup.

3. File Decryption & Recovery

  • No flaw has been found in the AES-256 (file) + RSA-2048 (key) implementation used by .force.
  • Free decryptor does NOT exist.
  • Recovery options:
  1. Restore from offline backups.
  2. Leverage Volume Shadow Copy if it was not erased (check with ShadowExplorer or vssadmin).
  3. Windows File-History / 3rd-party backup drives.
  4. File-carving/undelete tools (PhotoRec, R-Studio) – only partial success because ransomware overwrites portions of large files.
  5. Negotiation / paying the ransom is discouraged (no guarantee, fuels crime). If an organisation considers payment, involve law-enforcement and perform a risk/cost analysis.

4. Other Critical Information

  • Ransom note filenames: READTHIS_NOW.txt, !-!HOW-TO-FIX-!-!.txt, FORCE-RECOVER.txt.
  • Contact e-mails historically:
    recoveryhelp(@)bk.ru, force101(@)mail2tor.com, filefix(@)protonmail.ch
    (always verify the current note on your own system).
  • No wiper functionality – encryption is reversible in theory if RSA private key is obtained.
  • Horizontal movement is manual: attackers use credential dumpers (Mimikatz, LaZagne) then RDP to other hosts; therefore one compromised admin = domain-wide encryption in minutes.
  • Post-breach forensics: look for ntds.dit dumps, CLEAR event-log 4624 entries from unusual IP ranges, and creation of user “backup” or “support”.

KEY TAKE-AWAYS

  • .force is decryptable only with the attacker’s private RSA key – back-ups are your only real safety net.
  • Attack path is almost always RDP or exploit-kit – harden externally-facing services first.
  • Clean removal is trivial once identified, but encryption happens within minutes; speed of containment > speed of cleanup.

Share IoCs, ransom-note e-mails and sample hashes with your local CERT or the FBI’s IC3 portal to help track this family and advise future victims. Stay safe, patch fast, and keep an extra copy of your data offline.