badnews

[Content by Gemini 2.5]

Technical Breakdown – “BadNews” Ransomware (.badnews extension)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file has .badnews appended to its original name.
  Original:      2023_Q4_Results.xlsx
  Encrypted:     2023_Q4_Results.xlsx.badnews
  • Renaming Convention: Files keep their original base name and all prior extensions (important when files already have multiple suffixes, e.g., .tar.gz.badnews). No additional ID is inserted in the file name, so two victims cannot distinguish whose data is whose by filename alone.

2. Detection & Outbreak Timeline

  • First Observed: 8 October 2022 (honeypot hits reported by CERT-UA)
  • Global Surge: 25 Oct 2022 – 03 Nov 2022 (esp. targeting French & North-American MSPs)
  • Latest Reactive Signatures: 13 Nov 2022 (Trellix/SkyHigh “BadNews-A” signature) – confirmed still active; no major new wave since early 2023 but sporadic infections persist.

3. Primary Attack Vectors

| Mechanism | Technical Details | Typical Victim-Entry Point |
|———–|——————|—————————-|
| RDP brute-force → beacon implant “BTunnel.exe” | Scans external 3389 → Mimikatz memory scrape to domain admin → lateral movement via PSExec. | Exposed Windows Server 2012/2016 with weak AD passwords. |
| ProxyLogon (CVE-2021-26855/27065) on on-prem Exchange 2016 | Web-shell https://owa.domain[.]tld/obj/xcl/svc.aspx drops CertUtil payload → Stager downloads badnews_loader.zip containing .NET executable. | Small non-Exchange-updated orgs just touched Oct 2021 patches. |
| Software supply-chain of “EldoS SysTools” (abandoned VCL package) | Trojanised Delphi DLL RSYS.dll inserts WMIC command that launches the encryption binary. | App vendors building legacy utilities compiled with Delphi-based frameworks. |
| Spam ZIP/7z attachments with ISO within ISO | The inner ISO contains FoxitReader-update.exe which is actually the BadNews dropper. | Seasonal “discount invoice” campaigns. |

BadNews tries to disable Windows Defender via PowerShell Set-MpPreference -DisableRealtimeMonitoring $true within the first 30 minutes.

Remediation & Recovery Strategies

1. Prevention

  1. Block Internet → 3389 at edge; require VPN and MFA instead of ANY RDP exposure.
  2. Patch immediately Exchange Server (2021 Hafnium chain), Citrix ADC, FortiOS/SSL-VPN.
  3. E-mail gateways block nested ISO files and password-protected ZIP-with-ISO.
  4. Application whitelisting via Microsoft Defender ASR rule Block executable files running from archive, plus Block credential stealing from LSASS.
  5. Backups: 3-2-1 strategy, offline, and rotation + immutable cloud snapshots (Veeam hardened repo/Azure immutable blob).

2. Removal (Step-by-Step)

  1. Isolate: yank network cable / disable Wi-Fi before touching.
  2. Boot into Safe-Mode-with-Networking or use Windows PE.
  3. Run:
  • Microsoft Defender Offline
  • Malwarebytes Nebula/MBAR
  1. Manual persistence removal:
  • schtasks /delete /tn "BadNewsWake"
  • HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BadNewsUpdater
  • %ProgramData%\ServiceBackup\badnews_loader.exe
  • %APPDATA%\Local\Microsoft\ntdtc.bat (wipes Volume Shadow Copies)
  1. Scan again: Confirm zero hits; if domain-wide, create GPO to kill local scheduled tasks with wildcard badnews.
  2. Re-image the box if any doubt remains (BadNews is known to leave dormant .NET service loaders under %windir%\System32\Tasks\Syncservice later triggered by WMI).

3. File Decryption & Recovery

  • Recovery Feasibility: POSSIBLE – partial, specific cases only
  • Kaspersky RakhniDecryptor (v3.1 or newer) supports two early BadNews variants using known static RSA-1024 keys (leaked April 2023).
  • Eligibility Criteria: Files must have encrypted with v1.12 or earlier (matches md5 of badnews_loader.exe 0b34a6f7eecd5f…; newer v2.x switched to RSA-2048 with per-victim keys).
  • Tool link: https://support.kaspersky.com/downloads/utils/rakhni_decryptor.zip
  • No free decryptor for v2.x; only possibility is paying attackers NOT recommended.
  • Fallback: Recover from immutable/offline backup (Veeam hardened repo, Dell RecoverPoint, NetBackup AIR, etc.) and prevent re-occurrence.

4. Other Critical Information

  • Unique Behaviors:
  • Deletes Volume Shadow copies via WMIC but leaves Microsoft VSS service running—restoration looks viable but snaps are empty.
  • Drops secondary open-source Tor client (tor.exe) hidden in %temp%\is-J2AK2.tmp; uses onion domain badnews5ffzqzfaq[.]onion for ransom portal and chat.
  • Broader Impact:
  • First noteworthy case where attackers offered a working PROOF service (upload single ≤1 MB file, instantly decrypted to build trust).
  • French insurance company reported $11 M demand on >400 endpoints after MSP compromise—set a new record for Windows-centric locker variants in Q4-2022.

Protecting against .badnews boils down to patching legacy Microsoft stack, denying direct RDP, enforcing MFA, and immutable backups. If you were infected before March 2023, try Kaspersky’s decryptor first; otherwise rebuild from backups.