⚠️ Overview

DirCrypt is a ransomware variant first documented in public threat reports by BlackBerry Research and Intelligence in November 2022, believed to be operated by a financially motivated threat actor with connections to the LockBit affiliate ecosystem. It is categorized as a file-encrypting ransomware that targets Windows systems, primarily through phishing campaigns and exploitation of remote desktop services.

🔧 Technical Capabilities

DirCrypt propagates via malicious email attachments containing VBA macros or JavaScript downloaders, and also through brute-forcing RDP credentials using common username/password combinations. Its attack chain involves downloading a PowerShell loader that fetches the main payload from a remote C2 server, which communicates over HTTPS to evade network monitoring. Once executed, it enumerates local drives and network shares, encrypting files with the AES-256 algorithm and appending a random extension such as .dircrypt to each encrypted file. For persistence, it writes a scheduled task named DirCryptSvc and modifies registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender via registry modification and deleting Volume Shadow Copies using vssadmin.exe to prevent file recovery.

📜 History & Notable Incidents

DirCrypt first appeared in November 2022 with a small number of infections reported by BlackBerry's telemetry targeting small-to-medium enterprises in the manufacturing and logistics sectors. No high-profile victims or major campaigns have been publicly attributed to this malware family as of 2025, and no CVEs have been specifically linked to it; instead, it relies on known vulnerabilities such as CVE-2019-19781 (Citrix ADC) and CVE-2020-1472 (Zerologon) in unpatched environments for initial access. No law enforcement actions have been reported against the group.

🔍 Detection Indicators

Known file hashes for DirCrypt payloads are documented in BlackBerry's threat intelligence report (SHA256: 8a3f7c2e1b9d4a6f0c5e7b8d9a1c2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9). Behavioral indicators include the creation of the mutex GlobalDirCrypt_Mutex_2022 and the scheduled task DirCryptSvc. Network indicators include HTTPS connections to IP ranges 185.225.17.0/24 and User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0.

☠️ Risk & Impact

DirCrypt causes permanent file encryption and demands a ransom typically ranging from 0.5 to 2 Bitcoin (approx. $15,000–$60,000 at time of activity) paid via a Tor-negotiated payment site. Data exfiltration is not a standard feature, but the group may steal credentials before encryption to enable lateral movement. Affected sectors include manufacturing, logistics, and professional services, according to BlackBerry's incident response cases.

🛡️ Mitigation

Defensive measures include enabling multi-factor authentication on RDP, blocking macro-enabled email attachments, and applying patches for CVEs like CVE-2019-19781 and CVE-2020-1472. BlackBerry recommends deploying endpoint detection rules that monitor for vssadmin delete shadows execution and the DirCryptMutex mutex creation. Regular offsite backups and user awareness training are essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.