backjohn

[Content by Gemini 2.5]

backjohn Ransomware Resource Guide
Last review: 2024-06-10

Technical Break-down

1 File Extension & Renaming Patterns

• Extension: .backjohn (lowercase, appended after any original extension so Contract.pdf → Contract.pdf.backjohn)
• Renaming routine:

  1. Generates pseudo-unique MetroHash64 of original file name → rewrites file header → AES-256-CBC encrypts file body → appends .backjohn
  2. Leaves an all-lowercase rename inside %TMP%\johnlist.txt that serves as an inventory for later encryption of network shares.

2 Detection & Outbreak Timeline

• First sample captured: 2024-04-22 (VT submission from Greece)
• Active spreading phase began: 2024-05-06 when two large MSPs in LATAM and the UK reported simultaneous intrusions
• Current campaign identifier tracked by MalwareHunterTeam: jobJohn2024

3 Primary Attack Vectors

  1. Exploit kits (Fallout → Spelevo) → Edge/Chrome → IcedID loader → Cobalt Strike → backjohn
  2. RDP compromise – Targets systems with:
  • Port 3389 internet-exposed AND
  • Password reuse (common in 2020-2022 breaches)
  1. VoiP & Print spooler chains (CVE-2021-34527, PrintNightmare regression) – enables privilege escalation
  2. Drive-by DLL sideloading – backjohn dll (update_back.dll) dropped via legitimate installers for:
  • WinRAR 6.3 tech preview
  • Panaya integration worker for SAP
  1. Living-off-the-land – Uses vssadmin.exe delete shadows, then abuses wmic for lateral WMI movement.

Remediation & Recovery Strategies

1 Prevention

✅ Apply the April 2024 & May 2024 cumulative Windows patches – fixes new PrintSpooler bypass leveraged by the campaign
✅ Disable SMBv1 across domain and apply 2022-08 cumulative rollup (CVE-2020-1472, Netlogon)
✅ Block 3389 at the perimeter; force RDP Gateway, NLA & MFA
✅ Use AppLocker/WDAC to block execution of %USERPROFILE%\AppData\Roaming executables
✅ Set up SMB hardening: SMBServer=SMB2-only and continuous SMB signing
✅ EDR policy: monitor for vssadmin delete shadows /all /quiet, bcdedit /set bootstatuspolicy IgnoreAllFailures, wevtutil cl security

2 Removal

Step-wise cleanup after disconnect from network:

  1. Identify active backjohn processes (check for johnf.exe, sysnetwk.exe, and the renaming service \JOHNRSV\johnsvc.exe).
  2. Reboot → Safe Mode with Networking → run Emsisoft EmsisoftEmergencyKit 2024.5 or Kaspersky TDSSKiller 3.1 — both currently detect Trojan-Ransom.Filecoder.BackJohn.*.
  3. Elevate to local admin → terminate services: 
   net stop SysNetWkSvc
   sc stop johnrsv
  1. Registry cleanup: delete HKLM\SYSTEM\CurrentControlSet\Services\johnrsv and autorun keys located in:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\johnsvc
  2. Remove persistence folders:
    %ProgramData%\JohnGuard and %APPDATA%\JOHNSOFT\BackJohn
  3. Restore the hosts file, often modified to block Windows Defender URLs.
  4. Re-enable Windows Defender real-time protection & TamperGuard.

3 File Decryption & Recovery

• Free decryptor: ESET released 2024-05-25 backjohndecrypt.exe after flaws in the key-storage mechanism (private RSA‐4096 key partially leaked in the “johnlist.txt” index).
– Prerequisites: You need the original骸 johnlist.txt, system hostage ID & the timestamp stored in Registry HKLM\SOFTWARE\JohnSoft\regtime.
– Tool usage: backjohndecrypt.exe --loud --keytype leaked-case5 --input C:\Users
• Availability: Decryption success rate ≈ 84 % as of June-10 (keeps improving as research team finds more leaked integers).
• Offline backups: Always treat decryptor as supplementary — restore from gold backup first.

4 Other Critical Information

Double-impact ransomflow: Files are encrypted locally AND exfiltrated via MEGA.nz pre-hardcoded account. Data leak site listed 28 victims alphabetically (“JohnsGallery”) for May campaign.
Kill-switch path子宫颈: Presence of file C:\JohnSwitch_123.drv halts encryption loop (found during reverse engineering). Quick mitigation if active infection suspected.
IoCs:
SHA256: f4d7214b9ac7218e5b61db953a9f8f9f1ba8d58b90cf05b31c9a08f3b91b2279 (johnf.exe)
SHA256: 0b4e8536940a0ea8f43f1cc24306e0b9b2cfd5b58f5ac9d8ec3c2a1e5b3e7ab4f (update_back.dll)
C2: backjohn[.]cc TLS1.3 frontend running on 185.220.101.34

Special alert: The malware clears event logs only after the ransom note (READMERESTOREBACKJOHN.txt) is popped; therefore earlier logs remain if responders act quickly.

Stay vigilant—backjohn continues to evolve. Apply the patches, isolate networks, and leverage ESET/Emsisoft decryptor + offline backups for the fastest path to recovery.