@outlook.com

[Content by Gemini 2.5]

⚠️ Context Alert
The string “@outlook.com” is not a ransomware file-extension tag; it is simply the username portion of a Microsoft e-mail address. New ransomware discovered anywhere in the world is always identified by what it appends to every encrypted file, not by any e-mail string left in ransom notes.
Because no known ransomware uses the literal suffix “@outlook.com”, the following profile is built from the closest historical variants that include a Microsoft contact e-mail (e.g., .abcd, .xtbl, .wallet, .java, .write, .combo, .adobe, or older Crysis/Dharma strains that end with “id-[victim-ID].[[attacker]@outlook.com].XTBL/WALLET”).
If you have observed files that truly end in “@outlook.com”, please re-check the last 4-5 characters after the final dot; once you confirm the real extension, rename this resource accordingly.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files are given a compound extension such as
    .id-[8-DIGIT-RANDOM].[[email protected]].wallet
    (or .combo, .write, .java, .xtbl, etc. – suffixes vary by the specific Dharma build).
  • Renaming Convention:
  • Original → filename.ext.id-12345ABCD.[[email protected]].new-extension
  • Multiple reboots → the ID block may lengthen and the final suffix (.wallet, .combo, .arrow, .bip, etc.) can mutate after each lateral move on the network.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Emerged in late 2016 as Crysis v3; rebranded to “Dharma” in 2017. Attacks deploying “@outlook.com” addresses inside the renamed files resurged in August 2019–2021 and continue today with minimal code changes.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • RDP brute force / weak credentials – #1 entry point observed in 90 % of incidents.
  • Phishing e-mails – ISO, ZIP and IMG attachments that self-extract and run info.exe.
  • Exploitation of unpatched VPN appliances (Fortinet, SonicWall) to pivot into internal RDP.
  • Living-off-the-land – leverages legitimate Windows utilities such as nltest.exe, PowerShell, WMI, and PsExec for lateral movement.
  • Cloud-stored backups – mapped drives or sync folders are encrypted with delegated credentials.

Remediation & Recovery Strategies

1. Prevention

  • Enforce MFA on every RDP/RDS host and VPN account.
  • Disable Legacy RDP features: Network Level Authentication (NLA) ON, RDP port 3389 firewalled or VPN-only.
  • Restrict lateral service accounts: Prune excess domain-admin rights and push “tiering” via ESAE / Red Forest models.
  • Patch religiously: Target CVEs most abused by Dharma affiliate groups – CVE-2018-13379 (FortiOS), CVE-2019-19781 (Citrix ADC), MS17-010 (EternalBlue).
  • E-Mail hardening: ASR rules in Microsoft Defender for Office 365 to block ISO/IMG with embedded executables.
  • User-education: Simulate phishing campaigns emphasizing *.rar.iso, double-extension files, and non-standard archive types.

2. Removal (Step-by-Step)

  1. Segment immediately – unplug affected NICs, disable Wi-Fi, shut down VPN tunnels.
  2. Preserve volatile evidence – memory dump if incident-response team needs it.
  3. Boot into Safe Mode w/ Networking on one sacrificial VM for offline triage.
  4. Scan with reputable AV + EDR – use:
  • Microsoft Defender Offline
  • ESET Online Scanner
  • Kaspersky Virus Removal Tool (KVRT)
  • Trend Micro Ransomware File Decryptor (generic Dharma detection).
  1. Sweep persistence points:
  • Scheduled Tasks (\Microsoft\Windows\SystemData\ or \User_Feed_Synchronization\)
  • Run / RunOnce registry keys (HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)
  • Hidden svchost.exe copies in %APPDATA%, %PROGRAMDATA%, \PerfLogs\.
  1. Reset local & cached domain credentials for any user who logged on since Patient-0 date.
  2. Re-image – in >90 % of cases a clean OS install is faster and safer than attempting to surgically disinfect.

3. File Decryption & Recovery

  • Recovery Feasibility: No guaranteed decryptor for recent Dharma builds generated after November 2017 (they fixed their crypto bug). Victims must rely on:
  • Offline or cloud backups (immutable, rotated, S3 Object Lock, Azure Blob with soft-delete).
  • Volume Shadow Copy (VSS) recovery – sometimes intact if attacker skipped vssadmin delete shadows.
  • File-recovery apps (Recuva, R-Studio) – only if the ransomware did not zero out free space.
  • Kaspersky RakhniDecryptor / Emsisoft Dharma Decryptorworks only for remnant Crysis v2 keys leaked in 2016-2017; test one sample file first.
  • Essential Tools / Patches:
  • Microsoft RDP (KB5004442, KB5008207) to fix CredSSP & KDC bypass.
  • FortiOS 6.4.11 or 7.x branch.
  • SonicWall SMA / SSL-VPN appliance firmware ≥ 10.2.1.7.
  • Kaspersky TDSSKiller & Trend Micro Ransomware File Decryptor (current dated pack).

4. Other Critical Information

  • Unique Characteristics:
  • Hybrid 32/64-bit builds compiled uniquely per victim (timestamp + UUID).
  • Uses RSA-1024 keypair embedded in PE + random AES-256-CBC per file; if the RSA key is online-only & partially leaked in 2016, decrypters may still recover metadata.
  • Drops info.hta + README.txt in every folder (not “[email protected]”).
  • Broader Impact:
  • Top-5 most seen strain in MSP ticketing queues world-wide; continues to hit healthcare, logistics, and manufacturing sectors where stale RDP rollouts still exist.
  • Double-extortion not built-in but affiliates frequently exfiltrate data via Rclone/Mega before encrypting, increasing GDPR/HIPAA fines.
  • Average ransom demand US $5 000 – 60 000, surging when attackers exfiltrate SQL or CAD repositories.

Bottom line: treat any machine renamed to an address ending in “@outlook.com” as classic Dharma. Do not pay unless business continuity truly hangs on single parsed ZIP backups; follow the triage flow above and lean on drive images + contingency plans from 3-2-1 backup strategy.