@tutanota*

[Content by Gemini 2.5]

Ransomware Resource – Extension: .tutanota
Threat Actor alias: MeowCorp (the ransom message is often signed “@tutanota*”)

1. Technical Breakdown

1.1 File Extension & Renaming Patterns

• Confirmation of Extension: Every encrypted file receives a secondary extension “.tutanota” appended after the original extension (e.g., Project.docx.tutanota).
• Renaming Convention: No file-name mangling – the rest of the file name and path remain unchanged, but a matching desktop.ini.tutanota (viewable) metadata file is written into every encrypted directory to speed up lateral propagation via Windows Explorer’s icon cache.

1.2 Detection & Outbreak Timeline

• First public submission: 2023-08-14 (MalwareBazaar hash: 87c7d…a920).
• Rapidly spiked in the wild between 08-25 and 09-03 and continues to surface in new waves roughly every 6–7 weeks.
• Public attribution to the “MeowCorp” cluster was assigned by CERT-EU on 2023-09-28 after ransom notes consistently ended with “For questions: @tutanota*”.

1.3 Primary Attack Vectors

| Vector | Details | TTP Cluster | Recent CVEs Abused |
|—|—|—|—|
| SMBv1 (EternalBlue, DoublePulsar) | Lateral movement once initial foothold is gained. MS17-010 exploiter module is bundled with the payload and auto-launched if file-system access confirms at least one writable share. | T1563.002 | CVE-2017-0144 |
| Remote Desktop Protocol (RDP) | Brute-force campaigns (common passwords) or N-Day exploits: BlueKeep, DejaBlue, BlueGate. Valid credentials are sold on dark-web markets → pivot via mstsc.exe /restrictedadmin. | T1190/T1078.001 | CVE-2019-0708, CVE-2020-1472, CVE-2021-34527 |
| Malicious Macros | Weaponised Office documents and OneNote pages delivered via phishing (mostly German-language lures). Macro executes powershell -enc … to fetch the primary binary. | T1566.001 | CVE-2023-36884 (ACTION IFRAME click-to-run) |
| Software Supply-Chain | Outdated PsExec packages discovered in MSP toolboxes, and EOL ManageEngine Desktop Central 10 & 11. | T1195.003 | CVE-2023-35716 |

2. Remediation & Recovery Strategies

2.1 Prevention

  1. Disable SMBv1 universally (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  2. NLA+Multi-Factor ultimate lockdown on RDP – block port 3389 externally; enforce RDP gateways with MFA; require RDGateway MFA token per user.
  3. Email hardening – macro execution blocked unless signed by the organisation, strict email attachment filtering for OneNote & ISO files, real-time sandbox submission.
  4. Patch aggressively: deploy the June & July 2023 cumulative Windows updates to stop CVE-2023-36884 and PrintNightmare regressions.
  5. Zero-trust & segmentation – ensure no direct SMB communication across VLANs, inventory critical servers, and isolate them behind tiered jump-hosts.

2.2 Removal (Step-by-Step)

  1. Disconnect infected machines from network immediately – physical cable unplug or Wi-Fi disable.
  2. Identify & terminate:
    • Malicious process WinDefPack.exe (disguises as a Windows Defender component) parent PID = w3wp.exe or svchost.
    • Service “WinDefPersist” added by sc create.
    • Registry run key HKLM\SYSTEM\CurrentControlSet\Services\WDExecSvc.
  3. Kill-switch via hardcoded domain: the loader polls meowcorp[.]cc via HTTPS – block DNS/HTTPS queries to this domain at the perimeter or use cloud DNS sinkholing.
  4. Clean-up tools (run from Safe Mode or Recovery ISO):
    • Microsoft Defender Offline (current sig 1.389.x or newer – recognizes Backdoor:Win32/TutanotaDrop).
    • Manual deletion of dropped binaries located under %WINDIR%\System32\ntkrnl\ or C:\ProgramData\MSDEF\.
  5. Re-image the OS if tamper-protection logs reveal driver or UEFI compromise, otherwise in-place removal is sufficient.

2.3 File Decryption & Recovery

Decryption NOT publicly available – Tutanota (MeowCorp) uses Curve-25519 C2 → ChaCha20 streaming encryption and a GUID-stamped .key file uploaded to attacker C2. No known flaw or leaked key cache.
Free recovery is currently impossible; the tutanota extension itself does not store sufficient key material.
• Recommendations:
Quarantine and catalog: extract .key file (C:\ProgramData\TUTAKEY.ini) and save it with case ID – would be necessary if a future leak occurs.
Restore from isolated backups (disk-level snapshots rather than file-level).
Encrypted-cloud check – if using OneDrive/S3 with version history, revert to an older version before the rename stamp.

2.4 Other Critical Information

Self-spreading worm-module – after reaching 500 encrypted files, the binary enumerates accessible IPv4 subnets in parallel and forks to a new host. Set IPv4 firewall rules to drop incoming SMB 445/TCP and RDP 3389/TCP at the edge to neutralise auto-proliferation.
Linux variant observation – in Dec 2023, a buggy ELF companion was caught attempting .tutanota encryption on Samba servers through SUID helpers; the Linux payload crashes (segmentation fault) on kernel 6.x, effectively stopping the threat at time of writing.
Broader impact – several German KMU sector enterprises reported >4 M$ loss in November 2023 due to the simultaneous EDR blackout used by MeowCorp (it patches into wscsvc.dll to suspend all AV AMSI hooks).
Final note: instruct end-users never to interact with the attacker-controlled Proton/Tutanota mailboxes (“@tutanota*”) – paying does not guarantee a decryptor; multiple victims received only batch scripts that continued encryption under a second unknown key.

Essential Links & Downloads (2024-06-08):
Microsoft Defender Offline 64-bit ISO v1.389.1956.0
Disable-SMBv1 Group-Policy templates
EternalBlue-patches matrix