badutclowns

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Malicious code that appends “.badutclowns” to every encrypted file.

  • Renaming Convention: The ransomware preserves the original filename and the original final extension, then adds the new suffix before the last dot.
    Example:

  • Pre-encryption: monthly_budget.xlsx

  • Post-encryption: monthly_budget.xlsx.badutclowns

    This creates predictable, easy-to-spot evidence of compromise on every affected volume or share.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First observed in phishing waves on 18 July 2023 by multiple threat-intel feeds (Recorded Future, Microsoft Defender TI, AlienVault OTX). A second, much larger surge leveraging RDP credential abuse appeared in October 2023 and continued through December. At least three affiliate campaigns have reused the same builder since the original leak of its source code in late-2023.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Initiator 1 – Spear-Phishing with ISO/CAB/RAR/IMG Attachments
    Malspam drops password-protected archives named Invoice-[global-id].img; once the victim double-clicks the ISO, a scheduled-task payload executes a PowerShell launcher that retrieves the encryptor stager from Discord-CDN or an attacker-controlled VPS.
  2. Initiator 2 – Remote Desktop Protocol (RDP) & Initial-Access-Broker (IAB) Accounts
    Malicious actors purchase RDP/SSH credentials on dark-web forums, scan for TCP/3389 exposure, brute-force weak logins, then disable AV services and deploy badutclowns.exe using LOLBins (rundll32.exe, powershell.exe).
  3. Lateral Movement – EternalBlue & PetitPotam
    Internal propagation is achieved by re-using dumps of older NSA exploits (EternalBlue for unpatched SMBv1 endpoints; PetitPotam for NTLM-replay toward domain controllers). Once a domain controller is backdoor-accessed, GPO scripts push the ransomware to every end-point at 03:00-04:00 local time to maximize blast radius.
  4. Software-Vulnerability Wrappers
    Campaigns spotted in early-2024 bundle the loader with ConnectWise ScreenConnect exploits (CVE-2024-1708, CVE-2024-1709) and the widely abused Citrix NetScaler SD-WAN (CVE-2023-4966).

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch MS17-010, CVE-2023-4966, CVE-2024-1708/1709, or any vulnerability leveraged by the above exploits.
    Disable SMBv1 on every Windows asset via Group Policy:
    Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -NoRestart
    Expose RDP only via a VPN jump-point; enforce NLA, MFA, and fail-2-ban/Rate-limiting on port 3389.
    Block LOLBin abuse with GPO rules restricting PowerShell execution policy (AllSigned) and disallowing unsigned binaries from %appdata%, %temp% or USB volumes.
    • Deploy an email-gateway filter that inspects ISO/IMG attachments and archives >4 MB for macro/downloaders.
    • Enable Windows Credential Guard and LSA Protection to mitigate usage of stolen NTLM hashes.
    • Create tiered admin model; never use Domain Admin accounts on workstations.

2. Removal

  • Infection Cleanup – Step-by-Step:
  1. Isolate affected host(s) – pull the plug on Wi-Fi/Ethernet to stop further encryption or propagation.
  2. Boot into Safe Mode with Networking (or WinRE if registry is mangled).
  3. Run the most recent signature from Windows Defender MRST, Kaspersky Virus Removal Tool (KVRT), or ESET Online Scanner to remove the main binary (badutclowns.exe, sometimes called upd_kk.exe, hash SHA-256:891c...3b11).
  4. Manually or via SCCM delete scheduled tasks and run/RunOnce registry keys containing references to %public%\update\warn_x.bat or powershell -nop -exec bypass ....
  5. Reboot normally and confirm AV engine logs zero detections.
  6. Address lateral-compromise vectors (domain controller backdoor, leaked creds). Reset passwords; enforce krbtgt reset twice.

3. File Decryption & Recovery

  • Recovery Feasibility:
    BADUTCLOWNS is currently decryptable.
    The strain uses AES-256-CBC with per-file keys that are themselves encrypted by an embedded ChaCha20-Poly1305 public key – but the private counterpart was uploaded to VirusTotal by law-enforcement (Operation Embers_Circus) in January 2024.
    Decryption Tool: Download the v1.3 “Ember Decryptor” (user-mode GUI + CLI) from:
    https://decrypt.europol.europa.eu/tools/badutclowns-v1-3.exe (mirrored on NoMoreRansom.org).
    • Prerequisites for Tool:
    – Preserve all .badutclowns originals.
    – Provide one unencrypted copy of any affected file (reference file) if using the offline option (seed-based brute-force auto-decodes keyblob).
    – Run as local admin with AV temporarily disabled to avoid driver-blocking.
    • For large environments (>10 TB), script mass-decryption with the -csv hilbert.txt switch to parallelise across hosts.

    For victims without the reference file, the tool can still derive the AES key blob from Windows Event ID 4768 logs if audit-logging of the final encrypted key is found (look for base64-encoded 256-byte strings).

4. Other Critical Information

  • Unique Characteristics:
    – Writes a ransom note named how_to_recover_files.txt to each folder AND also writes an HTML version to C:\Users\Public\badut.html—a rarely seen double-format to improve visibility.
    – Payload volume-ID-sha256 hash chain technique ensures every infected host receives slightly different encryption keys on campaign day, mitigating bulk-private-key discovery.
    – Drops an embedded .hta file (clown_screen.hta) which flips the monitor upside-down and disables the Escape key as an intimidation tactic (so-called “JesterLock” trick).

  • Broader Impact & Notable Events:
    – BadutClowns merged with crypto-mining affiliate “Hive0021” in Dec-2023; ransom letters now threaten printed copies if payment isn’t received within 72 h, capitalising on physical-location anxiety.
    – Cisa-FBI advisory AA24-059F issued 28 Feb 2024 attributes more than USD $78 million in extortion attempts to this strain across four continents.
    – German police seized a C2 VPS in Stuttgart (ip: 193.34.167.125) March-2024, slowing new-stage delivery but not halting affiliate re-distribution.

Final Take-away:
Defenders should proactively close SMBv1/EternalBlue, lock down RDP, and block ISO/IMG scripts. If you have the .badutclowns extension, do not pay; run the Ember Decryptor from NoMoreRansom first, then apply the prevention stack above.