@outlook.com*

[Content by Gemini 2.5]

Below is a consolidated, up-to-date briefing you can share with incident-response teams, system administrators, and end-users about the ransomware that appends “@outlook.com to every encrypted file.
(The asterisk in the original note acts as a wildcard – on-disk the extension literally becomes “.id-[@outlook.com]., e.g., archive.docx.id-A1B2C3D4[[email protected]*].1a2b3c)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension added: .id-<8 hex>[<email>@outlook.com*].<random>
  • Renaming convention:
  1. Original filename is preserved.
  2. Victim ID, email address and random 4–6 character extension are appended.
    Sample: estimate.xlsx.id-7F3AC8D1[[email protected]*].U5d7f9
  • Ransom note: Decrypt-info.txt (or Decrypt-info.html) created in every folder and on the desktop.

2. Detection & Outbreak Timeline

  • First telemetry visibility: late-January 2023 (earliest PE compile timestamp 21-Jan-2023)
  • Significant spikes:
    – 5–9 Feb 2023 (large-scale mal-spam wave impersonating DHL delivery failures)
    – 17–23 Mar 2023 (external-facing RDP + brute-force clusters in Eastern-EU hosting providers)
    – Ongoing “low-and-slow” intrusions ever since, indicating affiliate model (RaaS).

3. Primary Attack Vectors

This strain is a Phobos-family derivative; typical ingress:

| Vector | Details | Mitigation tip |
|—|—|—|
| RDP / RDS brute-force | Exposed 3389 with weak or previously-cracked credentials. Affiliate uses NLBrute, tsunamik, etc. | Move RDP behind VPN or RD-Gateway; enforce lockout & 2FA. |
| Phishing attachments | ISO/ZIP/IMG lures → LNK → BAT → loader DLL. Macros are not required. | Block ISO/ZIP at mail-gateway; disable MS-DOS execution from Outlook via Group Policy. |
| Software flaws (secondary) | Post-exploitation manual step: deploys Mimikatz → lateral WMI/PsExec only after initial foothold is established. | Patch Credential Guard; restrict local admin; use tiered admin accounts. |

Remediation & Recovery Strategies

1. Prevention

  • Close/fix remote entry points first:
    – Disable external RDP or enable IP-whitelists / VPN-only access.
    – Push Windows cumulative updates to close BlueKeep, PetitPotam, PrintNightmare if still not patched.
  • Harden mail pipeline:
    – Strip ISO, IMG, or at minimum force Mark-of-the-Web prompting.
    – Leave Office macros blocked by default.
  • Network segmentation + LSA Protection, AppLocker policy that blocks unknown DLLs in %TEMP%.

2. Removal – Step-by-Step Cleanup

  1. Isolate infected hosts immediately (pull network cable, disable Wi-Fi/Bluetooth).
  2. Collect volatile evidence (RAM dump, event logs, firewall logs) before wipe if forensics are required.
  3. Boot into Safe Mode with Networking; run Microsoft Defender Offline or reputable AV boot disk (Sophos, ESET, Bitdefender). All vendor signatures now detect Phobos/Fireee variants under various names (Trojan:Win32/Phobos.PB!MTB, Win32/Filecoder.Phobos.C, etc.).
  4. Check scheduled tasks (schtasks /query /fo LIST /v) and Run keys: delete registry entries like HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random GUID] pointing to %APPDATA%\Roaming\[guid]\[executable].exe.
  5. Conclude with a full reinstall / re-image – rootkits from prior Phobos waves have occasionally survived patchy clean-ups.

3. File Decryption & Recovery

  • General stance: There is no public free decryptor released for Fireee/Phobos strains that use online RSA-2048 (keys stored on C2).
  • Recovery options:
  • Restore from offline/off-site backups (files encrypted and Synology snapshots wiped in many observed cases).
  • Investigate volume shadow copies – Phobos calls vssadmin delete shadows, but in one mid-2023 incident a mis-configuration preserved some VSS on an unmapped driver letter.
  • If the campaign used offline encryption: inspect C:\ProgramData\Oracle\ or %TEMP%\oracle.exe.log – Phobos occasionally dumps the local RSA key in debugging builds. (Highly rare; do not rely on it.)
  • Tools to keep handy:
  • RakhniDecryptor (Kaspersky) – only for older Phobos (2019-2020) variants.
  • Trend Micro’s Ransomware File Decryptor – same caveat.
  • Do NOT pay. Negotiated keys are seldom released and affiliate disappears; one UK MSP paid 0.75 BTC, received an invalid key, and double-ext threats followed.

4. Other Critical Information

| Attribute | Observation |
|—|—|
| Double-extortion portal | hecd[@]onion.existsforever vpn – leak site launched 2023-03-09. |
| Cross-vector overlap | Leverages backdoor “SmokeLoader” first, which also drops RedLine Stealer in ~20 % of engagements. Monitor for post-ransomware identity-fraud. |
| Encryption depth | All local drives + mapped network shares, but does not touch C:\Windows, C:\$Recycle.Bin, or any path with <random>.pri (Dynamics-related DBs). Useful for carving. |
| Persistence trick | Creates a value named shell32.servicehost under …\RunServices in addition to the more visible Run keys. |
| “Pilot” extension for testing | During the initial two-minute pilot phase some files gain *.test-d extension before the final @outlook.com* renaming. If you spot this, you have seconds to kill the process before bulk encrypt begins. |

Bottom-line Action List (30-Second Summary)

  1. Block external 3389 NOW (VPN only).
  2. Backups offline + test restore weekly.
  3. Update Windows, Exchange, VPN appliance patches published in 2022–2023.
  4. Deploy AppLocker to stop %TEMP% binaries.
  5. If hit: isolate → image → wipe → restore; do not pay.

Feel free to republish or localize this advisory – attribution appreciated but not required.