{ "campaign": "enc/dec Ransomware Family", "description": "Comprehensive IOCs for the enc/dec ransomware family, a sophisticated custom-developed ransomware toolkit discovered in a malware development repository. The toolkit employs professional-grade hybrid RSA-2048 + ChaCha20 encryption with custom hand-coded cryptographic implementation featuring AVX-512/AVX2/SSE hardware optimization. Discovered on open directory 109.230.231.37.", "severity": "CRITICAL", "confidence_level": "Very High", "development_characteristics": { "sophistication": "Professional malware development", "capabilities": "Dual-purpose: Espionage + Financial Extortion", "indicators": [ "Custom cryptographic implementation", "Professional R&D environment with versioned builds and testing utilities", "Hardware-optimized encryption (AVX-512/AVX2/SSE)", "Multi-variant toolkit (5 encryptors, 5 decryptors)" ] }, "file_hashes": { "enc_exe": { "sha256": "93c53ebc8d1ee19dad41cfb7989ed047136cd80669ec8ba7b0af4016f9123cc1", "sha1": "ebad3ae916e075c119c1630f007e05fa5ce8cb6f", "md5": "f6b678886d38dda59678e5422697aaee", "size": "15.8 MB", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "enc.exe", "variant": "Primary encryptor - earlier version", "capabilities": [ "Network spreading", "VM detection", "Credential theft", "File encryption (RSA-2048 + ChaCha20)", "Volume Shadow Copy deletion" ], "yara_signatures": [ "EncDec_ChaCha20_Constant", "EncDec_VSS_Deletion", "EncDec_Rust_Artifacts", "EncDec_AntiDebug_StackCheck", "EncDec_Comprehensive" ] }, "enc_v2_exe": { "sha256": "d942896e56eb6dc83c8788c92e6fe7c57ee419b9b092f3089c74b3f0e181b154", "sha1": "60654d763e8918a10a5df9eb65b2676bd4e2a85d", "md5": "59011f6a6c53f79b9d63d53b3ea7c251", "size": "Unknown (estimated 15-20 MB)", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "enc_v2.exe", "variant": "Version 2 encryptor - most comprehensively reverse engineered", "capabilities": [ "Custom ChaCha20 implementation with AVX optimization", "RSA-2048 + ChaCha20 hybrid encryption", "Multi-layered anti-analysis (stack-checking, VEH, Sleep evasion)", "Drive enumeration A-Z + network shares", "VSS deletion via vssadmin/wmic", "Runtime CPU dispatcher (AVX-512/AVX2/SSE)" ], "debug_artifacts": [ "Rust debug paths visible in binary" ], "yara_signatures": [ "EncDec_ChaCha20_Constant", "EncDec_VSS_Deletion", "EncDec_Rust_Artifacts", "EncDec_AntiDebug_StackCheck", "EncDec_Comprehensive" ] }, "updated_enc_exe": { "sha256": "9cf27311a39f4915ef1ea36f101381c4b3b7fe0eeea43a9739df15c06a563651", "sha1": "45714cf92b5820ca115568d8f4ea48293dcc66b6", "md5": "91874b34526a38f9ca0727f323c3188a", "size": "Unknown (estimated 15-20 MB)", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "updated_enc.exe", "variant": "Evolutionary variant of enc_v2.exe", "capabilities": [ "Identical technical signatures to enc_v2.exe", "Shared anti-debugging loops", "RSA-2048 + ChaCha20 hybrid encryption", "Ransom note template: README.txt" ], "yara_signatures": [ "EncDec_ChaCha20_Constant", "EncDec_VSS_Deletion", "EncDec_Rust_Artifacts", "EncDec_AntiDebug_StackCheck", "EncDec_Comprehensive" ] }, "enc_pervictim_exe": { "sha256": "e25e19888d615b9fb15da4cd7c4cd34dfa53250becff3d621c59c9fa38efdcf3", "sha1": "c2d6e40976b237b8f0a034d30df9e60a7771c416", "md5": "e2cbe3bc77b1ce11192fd0d542d6123a", "size": "Unknown (estimated 15-20 MB)", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "enc_pervictim.exe", "variant": "Per-victim key generation capability", "capabilities": [ "Per-victim customized encryption keys", "Runtime CPU dispatcher (AVX-512/AVX2/SSE)", "Sophisticated cryptographic engine", "Hardware-optimized ChaCha20 (multiple implementations)" ], "debug_artifacts": [ "chacha20_pervictim.rs", "netusesrc/modules/disks.rs" ], "yara_signatures": [ "EncDec_ChaCha20_Constant", "EncDec_VSS_Deletion", "EncDec_Rust_Artifacts", "EncDec_AntiDebug_StackCheck", "EncDec_Comprehensive" ] }, "test_gui_enc_v2_exe": { "sha256": "6c21c70ae517ccf548ac326ac133337b8d12200658ffba5a1f2d7053a34aadc6", "sha1": "426a4740043780ff152ffd651a2abb7a8692f8e3", "md5": "4ce7f0bda1f3606270e5f9677d526771", "size": "Unknown", "type": "PE32+ executable (GUI) x86-64, Rust-compiled", "original_filename": "test_gui_enc_v2.exe", "variant": "Testing variant with GUI components", "capabilities": [ "Version 2 architecture", "GUI interface for testing", "Development/QA build" ], "yara_signatures": [ "EncDec_ChaCha20_Constant", "EncDec_Rust_Artifacts" ] }, "dec_exe": { "sha256": "2e6220c3ed90261bd9f0d30cc3684e7c3f763ce524fe7ff49de7bf92870031e9", "sha1": "575e763b941f74ef329e37715c46fac45abb3985", "md5": "0ad2f5880d34e9f231a28f0c0cad015b", "size": "2.1 MB", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "dec.exe", "variant": "Primary decryptor - reverse engineered", "capabilities": [ "Command-line utility with --pass, --file, --folder parameters", "PBKDF2 key derivation from password", "RSA private key unwrapping", "ChaCha20-Poly1305 AEAD decryption", "Cleanup: deletes README_FOR_DECRYPT.txt, terminates ransom_note_exec.exe", "Blocklists: system files/folders to prevent damage" ], "cryptographic_libraries": [ "ChaCha20-Poly1305", "SHA-512", "BLAKE2", "SipHash" ], "yara_signatures": [ "EncDec_ChaCha20_Constant" ] }, "dec_fast_exe": { "sha256": "62459f33fd9a933799857e537cb3fbfd41b32658cde2a5119cc5a819aecc53ca", "sha1": "4490d9be948dbb8bc0b58c551c28bfb182a54d8a", "md5": "9e492a9e4906946c20ae061fa29e62e5", "size": "Unknown", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "dec_fast.exe", "variant": "Performance-optimized decryption", "capabilities": [ "Fast decryption (potentially reduced safety checks for speed)", "Rapid file recovery" ], "yara_signatures": [ "EncDec_ChaCha20_Constant" ] }, "dec_pc3_exe": { "sha256": "1252b4a85ea6d33651bbcee4708f0ec14d5915f7ebe9c8de0ffb5bfc6ad8f412", "sha1": "7b7db113669abe951b5298f5a17d9fa4c2e0b84f", "md5": "dddf209542b4cc9ab4f312eb46876aa9", "size": "Unknown", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "dec_pc3.exe", "variant": "Specialized decryption (possibly machine-specific)", "capabilities": [ "Environment-specific decryption", "Specialized configuration" ], "yara_signatures": [ "EncDec_ChaCha20_Constant" ] }, "dec_unique_exe": { "sha256": "353800a0934e6de5d02f660fcde2be3e3b3d3bb70bcff3a157355c77a75cb935", "sha1": "e60ee8e9516b1d9595d026c0ae84d3f93db0765e", "md5": "7581ba60eb121a0ca0499a8fe8c3bdc9", "size": "Unknown", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "dec_unique.exe", "variant": "Variant with unique decryption parameters", "capabilities": [ "Unique decryption scenarios", "Specialized parameters" ], "yara_signatures": [ "EncDec_ChaCha20_Constant" ] }, "test_decryptor_exe": { "sha256": "4a41291979ce387fd5470ad5afd9db2938669d813f7da7f43dd9f53413457399", "sha1": "bced673ab0cf6f008264c763f399899471d30a53", "md5": "3b53bd591f29e0a2cc3d500db4c4cf8a", "size": "Unknown", "type": "PE32+ executable (console) x86-64, Rust-compiled", "original_filename": "test_decryptor.exe", "variant": "Testing/QA decryption utility", "capabilities": [ "Development build", "Testing functionality" ], "yara_signatures": [ "EncDec_ChaCha20_Constant" ] }, "ransom_note_exec_exe": { "type": "Associated executable - GUI ransom note display utility", "original_filename": "ransom_note_exec.exe", "purpose": "Display ransom note to victim", "cleanup": "Terminated by dec.exe cleanup operations" } }, "network_indicators": { "distribution_infrastructure": { "ip": "109.230.231.37", "description": "enc/dec malware distribution point - open directory serving 38 malicious executables including enc/dec ransomware family, espionage tools (agent.exe, steal_browser.exe), commodity RATs (Xworm), and persistence droppers (FleetAgent family)", "confidence": "CONFIRMED", "threat_type": "Malware distribution + potential C2 infrastructure", "action": "BLOCK at network perimeter immediately (all ports, all protocols, inbound AND outbound)", "ports": [ "80 (HTTP - confirmed open directory)", "443 (HTTPS - likely)", "Custom C2 ports (potential)" ] }, "c2_infrastructure": { "status": "NOT DIRECTLY OBSERVED", "description": "No active C2 communication observed during analysis (R&D environment samples, not operational deployment). Associated Xworm variants in enc/dec use 109.230.231.37 for C2.", "expected_behavior": "Encrypted C2 traffic using RSA, ChaCha20 cryptography", "detection_strategy": "Monitor for unusual encrypted outbound connections from Rust executables, especially to 109.230.231.37" } }, "file_system_artifacts": { "ransom_notes": { "README_txt": { "filename": "README.txt", "description": "Primary ransom note deployed by enc_v2.exe, updated_enc.exe, enc.exe", "location": "Encrypted directories", "confidence": "CONFIRMED" }, "README_FOR_DECRYPT_txt": { "filename": "README_FOR_DECRYPT.txt", "description": "Decryption instructions ransom note", "location": "Encrypted directories", "cleanup": "Deleted by dec.exe cleanup operations", "confidence": "CONFIRMED" } }, "file_extensions": { "lockbox": { "extension": ".lockbox", "description": "Referenced in some enc/dec reports (not directly confirmed in enc/dec samples)", "confidence": "MEDIUM", "note": "Encrypted files may preserve original extension or use custom extension" } } }, "behavioral_indicators": { "vss_deletion": { "technique": "T1490 - Inhibit System Recovery", "commands": [ "vssadmin delete shadows /all /quiet", "wmic shadowcopy delete" ], "unique_concatenation": "vssadmindeleteshadows/all/quietwmicshadowcopy", "description": "Concatenated VSS deletion commands (unique string artifact)", "impact": "Prevents recovery from Volume Shadow Copies", "detection": "Monitor for vssadmin.exe or wmic.exe with 'delete shadows' or 'shadowcopy delete' parameters", "confidence": "VERY HIGH" }, "drive_enumeration": { "technique": "T1083 - File and Directory Discovery", "behavior": "Enumerate all drive letters A-Z + network shares", "impact": "Identify all accessible storage for encryption", "detection": "Monitor for single process accessing 10+ drive letters within short timeframe", "confidence": "HIGH" }, "mass_file_modification": { "technique": "T1486 - Data Encrypted for Impact", "behavior": "Rapid encryption of thousands of files across multiple directories and drives", "threshold": "1000+ files modified in <1 hour", "detection": "Monitor for high-volume file modification events from single process", "confidence": "VERY HIGH" }, "network_share_enumeration": { "technique": "T1135 - Network Share Discovery", "behavior": "Enumerate and access network shares for lateral encryption", "impact": "Encrypt data on network file servers and shared drives", "detection": "Monitor for network share enumeration followed by mass file modifications", "confidence": "HIGH" }, "anti_debugging": { "stack_checking_loop": { "technique": "T1622 - Debugger Evasion", "signature": "Stack-based anti-debugging loop in C runtime (sub_140001180)", "behavior": "Continuous stack base monitoring, Sleep(1000ms) on debugger detection", "impact": "Defeats debugger attachment, evades automated sandboxes", "confidence": "VERY HIGH - present in ALL analyzed samples" }, "vectored_exception_handling": { "technique": "T1622 - Debugger Evasion", "api_calls": [ "AddVectoredExceptionHandler" ], "behavior": "Intercept exceptions before debuggers, interfere with breakpoint debugging", "confidence": "HIGH - present in encryption variants" }, "sleep_evasion": { "technique": "T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion", "behavior": "Repeated Sleep(1000ms) calls to slow sandbox analysis", "confidence": "HIGH" } }, "high_cpu_usage": { "description": "80-100% CPU usage during encryption phase (AVX-512/AVX2/SSE optimization)", "impact": "Very fast encryption speed - minutes to encrypt hundreds of GB", "detection": "EDR behavioral alert for sustained high CPU from Rust executables", "confidence": "HIGH" } }, "string_indicators": { "high_fidelity": { "chacha20_constant": { "string": "expand 32-byte k", "description": "ChaCha20 initialization constant (RFC 8439) - definitive algorithm identification", "encoding": "ASCII, wide", "fidelity": "VERY HIGH", "confidence": "CONFIRMED in enc_v2.exe, dec.exe, enc_pervictim.exe, updated_enc.exe" }, "vss_concatenated": { "string": "vssadmindeleteshadows/all/quietwmicshadowcopy", "description": "Unique concatenation of VSS deletion commands", "fidelity": "VERY HIGH", "confidence": "CONFIRMED" }, "rsa_chacha20_message": { "string": "[*] Using RSA+ChaCha20 encryption", "description": "Console output message confirming cryptographic scheme", "fidelity": "VERY HIGH", "confidence": "CONFIRMED in enc_v2.exe" } }, "debug_artifacts": { "chacha20_pervictim_rs": { "string": "chacha20_pervictim.rs", "description": "Rust source file debug artifact - confirms per-victim key generation", "fidelity": "VERY HIGH", "confidence": "CONFIRMED in enc_pervictim.exe" }, "netuse_disks_rs": { "string": "netusesrc/modules/disks.rs", "description": "Rust source file debug artifact - network share module", "fidelity": "VERY HIGH", "confidence": "CONFIRMED in enc/dec samples" } } }, "mitre_attack_techniques": { "execution": [ "T1204.002 - User Execution: Malicious File" ], "persistence": [ "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (not in ransomware, present in associated FleetAgent tools)" ], "defense_evasion": [ "T1027 - Obfuscated Files or Information", "T1497.001 - Virtualization/Sandbox Evasion: System Checks", "T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion", "T1622 - Debugger Evasion" ], "discovery": [ "T1082 - System Information Discovery", "T1083 - File and Directory Discovery", "T1135 - Network Share Discovery" ], "impact": [ "T1486 - Data Encrypted for Impact", "T1490 - Inhibit System Recovery" ], "other": [ "T1070.004 - Indicator Removal: File Deletion (dec.exe cleanup)", "T1489 - Service Stop (potential - service blocklists suggest awareness)", "T1112 - Modify Registry (circumstantial - FleetAgent tools use registry)" ] }, "detection_opportunities": { "high_fidelity_indicators": [ "File hash match: Any of the 11 enc/dec variant SHA256 hashes", "String match: 'expand 32-byte k' in process memory or file scan", "String match: 'vssadmindeleteshadows/all/quietwmicshadowcopy'", "String match: 'chacha20_pervictim.rs' or 'netusesrc/modules/disks.rs'", "Network connection to 109.230.231.37 (any port, any protocol)", "VSS deletion commands: vssadmin.exe or wmic.exe with shadowcopy delete parameters" ], "behavioral_patterns": [ "Rust executable creating persistence mechanisms (associated FleetAgent tools)", "Single process accessing 10+ drive letters within short timeframe", "Mass file modification: 1000+ files in <1 hour from single process", "Network share enumeration followed by mass file modifications", "High CPU usage (80-100%) from Rust executable in user directories", "Encrypted outbound connections from Rust executables" ], "forensic_artifacts": [ "README.txt or README_FOR_DECRYPT.txt ransom notes", "ransom_note_exec.exe process execution", "VSS deletion events in Windows Event Logs", "Process creation events for Rust-compiled executables", "File modification events showing rapid encryption pattern" ], "yara_rules": [ "EncDec_ChaCha20_Constant (highest fidelity)", "EncDec_VSS_Deletion (high fidelity)", "EncDec_Rust_Artifacts (very high fidelity - unique debug paths)", "EncDec_AntiDebug_StackCheck (medium fidelity - signature TTP)", "EncDec_Comprehensive (medium fidelity - combined indicators)" ] }, "cryptographic_analysis": { "encryption_scheme": "Hybrid RSA-2048 + ChaCha20", "implementation": "Custom hand-coded (NOT standard library)", "key_hierarchy": { "master_key": "Threat actor RSA-2048 private key (offline, attacker-controlled)", "public_key": "Embedded RSA-2048 public key in encryptor executables", "session_keys": "Per-file ChaCha20 256-bit keys (randomly generated)", "session_key_protection": "Encrypted with RSA public key, stored in file footer" }, "optimization": { "avx512": "512-bit ZMM registers (16 parallel operations) - 4x faster than SSE", "avx2": "256-bit YMM registers (8 parallel operations) - 2x faster than SSE", "sse": "128-bit XMM registers (4 parallel operations) - baseline", "cpu_dispatcher": "Runtime CPU feature detection and optimal implementation selection" }, "cryptographic_strength": "Unbreakable without threat actor's master private key", "decryption_requirements": [ "Threat actor's master RSA-2048 private key (offline, attacker-controlled)", "Correct password for dec.exe (attacker-controlled)", "Without both: Decryption is computationally infeasible" ], "recovery_path": "Offline backup restoration is the only cryptographically-independent recovery method" }, "incident_response_guidance": { "immediate_actions_0_4_hours": [ "Block 109.230.231.37 at network perimeter (all ports, all protocols, inbound + outbound)", "Isolate infected systems from network (preserve power for forensics)", "Secure offline backups (verify integrity, create additional copies)", "Deploy enc/dec detection signatures (YARA, Sigma, EDR rules)", "Execute threat hunting queries (identify all infected systems)" ], "short_term_4_24_hours": [ "Complete threat hunt (final infected system count)", "Forensic image acquisition (memory + disk from patient zero)", "Eradication planning (rebuild vs clean decision)", "Stakeholder communication (executive briefing, user notifications)" ], "eradication_days_2_3": [ "Remove enc/dec malware from all systems", "Eliminate malware persistence mechanisms (Registry, Scheduled Tasks, LNK files)", "System rebuilds (48-72 hours per critical system - servers first)", "Credential resets (assume all credentials compromised by espionage tools)" ], "recovery_days_3_7": [ "Restore data from pre-infection backups", "Validate system integrity (malware-free verification)", "Phased return to operations (critical → standard → endpoints)", "User productivity restoration" ], "post_incident_week_2_plus": [ "Lessons learned session", "Security improvements implementation", "Compliance activities (breach notifications if applicable)", "Threat intelligence sharing (IOCs to ISACs, law enforcement)" ], "recovery_considerations": { "recommended_approach": "DO NOT PAY RANSOM", "rationale": [ "No guarantee of decryption tool delivery (industry data: 35% of payers do not receive functional tools)", "Funds APT operations", "Encourages future attacks", "Payment to sanctioned entities may violate OFAC regulations" ], "backup_dependency": "enc/dec deletes Volume Shadow Copies - offline backups are ESSENTIAL", "recovery_path": "Restore from pre-infection offline backups (verified and tested)" } }, "strategic_intelligence": { "development_timeline": { "characteristics": "Professional malware development environment with versioned builds and testing utilities", "capabilities": "Dual-purpose operations (espionage + ransomware), custom cryptographic implementations", "sophistication": "Custom ChaCha20+RSA implementation with hardware optimization (AVX-512/AVX2/SSE)" }, "dual_threat_assessment": { "ransomware": "Data encryption for financial extortion, operational disruption, recovery costs", "espionage": "Repository contains espionage tools likely deployed alongside ransomware - potential for intellectual property theft, credential compromise, long-term persistent access, future repeat attacks" }, "strategic_concerns": [ "Professional development sophistication suggests well-resourced threat actors", "Per-victim key generation indicates targeting capability beyond opportunistic attacks", "Repeat attack risk if espionage tools remain undetected", "Supply chain risk if organization is supplier/partner to higher-value targets" ] }, "compliance_impact": { "gdpr": { "breach_notification": "72 hours to supervisory authority if customer data encrypted", "customer_notification": "Without undue delay if high risk to customer rights", "potential_fines": "Up to €20 million or 4% annual global revenue" }, "hipaa": { "breach_notification": "HHS notification within 60 days if PHI encrypted", "patient_notification": "Within 60 days", "potential_fines": "Up to $1.5 million per violation category per year" }, "pci_dss": { "incident_reporting": "Card brands within 72 hours", "forensic_investigation": "PFI engagement mandatory", "potential_consequences": "Increased transaction fees, loss of card processing ability" }, "state_breach_laws": { "notification": "All 50 US states have breach notification laws", "attorney_general": "Required in many states", "credit_monitoring": "May be required depending on data types" } }, "timestamp": "2026-01-18T00:00:00Z", "analyst": "Threat Intelligence Team", "report_version": "1.0", "related_reports": [ "/reports/enc-dec-ransomware-family/", "/hunting-detections/enc-dec-ransomware-family/" ], "license": "© 2026 Joseph. All rights reserved. Free to read, but reuse requires written permission." }