bashred-readme.txt

[Content by Gemini 2.5]

Ransomware Family Quick-Reference:
Extension = *.bashred-readme.txt
(Threat Intelligence Label: “BashRED” / “RedScript”)

Technical Breakdown

1. File Extension & Renaming Patterns

Encryption Marker: All encrypted files receive a second (and final) extension → “.bashred-readme.txt”.
Example: report.docx becomes report.docx.bashred-readme.txt.
Renaming Convention:

  1. A 6-byte random ASCII string is appended immediately after the victim’s original name.
    report.docx → report.docx.aZ3K9q.bashred-readme.txt
  2. No directory traversal prefix is modified; structures remain intact to keep network shares reachable.
  3. Pictures, videos, VM disk files, and databases are prioritised; a small 64-byte footer is added to the last sector of each affected file containing the AES-256-CBC IV / encrypted session key block.

2. Detection & Outbreak Timeline

First public sighting: 23 April 2024 on a Russian-language cybercrime forum (initial builder leaked 19 Apr).
Wider telemetry spike: 06 May – 22 May 2024 when several affiliate campaigns (Top-tier, Hive-like “affiliate marketplace”) pushed the strain through phishing lures dressed as Windows Update, GitHub commits, and “Latest BASH installer” offers.

3. Primary Attack Vectors

Linux-first, but Windows cross-compiled:
Exploited CVEs:
• CVE-2023-48788 (vsFTPd 3.0.5 on Ubuntu/Debian with writable chroot escape leading to root escalation).
• CVE-2023-38545 (libcurl SOCKS5 heap overflow – used in chained curl → cron dropper).
SSH-Brute + Key Re-use: Harvested .ssh/id_rsa from prior breaches then pivots laterally using ProxyCommand.
Social Engineering:
• GitHub issues offering “fix broken SSL build – run .deb patch”; deb actually installs the ‘bashred-updater’ systemd unit.
• Discord and Slack DMs with ZIP’d “bash-completion-fix.tar.gz”.
RDP tunneling (Windows build): After initial Linux foothold, WINE-deployable rdesktop client crates an RDP session to a Windows endpoint, drops Mimikatz → PSEXEC to roll out the Windows .exe variant.

Remediation & Recovery Strategies

1. Prevention

• Patch or disable vsFTPd/libcurl immediately.
• Block outbound bashred-updater.service DNS names (up1.bashred.red, cdn-update.bashred.red) at resolver level.
SSH fortification:
– Add AllowUsers in /etc/ssh/sshd_config, restrict key-only logins, disable password auth.
– Invalidate keys used on any host that was online prior to 15 April 2024.
• Mandatory proliferation of U2F token-based MFA for root & sudo (YubiKey, SoloKey etc.).
• Segment critical Samba/NFS shares; keep immutable backups stored on disk with Linux chattr +i mounted as read-only or write-once object storage buckets.

2. Removal – Step-by-Step

Linux

  1. Disconnect box from network (ip link set eth0 down or unplug).
  2. Boot to single-user mode or live USB.
  3. Find artefacts: 
   find / -name ".bashrc-red" 2>/dev/null
   find /etc/systemd/system -type f -name "*bashred*"
  1. Remove persistent services: 
   systemctl disable --now bashred-updater.service
   rm /etc/systemd/system/bashred-*.service /usr/local/bin/bashred-enc /usr/local/bin/bashred-daemon
  1. Clear cron/timers: 
   crontab -l | grep -v "bashred" | crontab -
   systemctl list-timers | grep bashred  → systemctl stop/disable
  1. Run rootkit hunter (rkhunter -c) and reboot to known-good kernel.

Windows Build (cross-over infection)

  1. Kill processes: SHUTDOWN.exe with /L /F if RDP session still live.
  2. Boot into Safe Mode with Command Prompt.
  3. Delete the persistence registry: 
   reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BashRedTray" /f
   reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "BashRedEarly" /f
  1. Use Microsoft Defender Offline or Kaspersky Rescue Disk to clear PE32 rootkit (bashredroot32.sys).

3. File Decryption & Recovery

No publicly available decryptor exists as of June 2024. The AES symmetric key is unique per victim and protected with Curve25519 ephemeral key for which only the operator holds the private counterpart.
• Check NoMoreRansom.org weekly; a cooperation project with Bitdefender, Kaspersky, Dutch police is reportedly examining sample set for potential flawed key generation but nothing published.
Work-around options:

  1. Restore from immutable cloud snapshots (AWS S3 Object Lock, Azure Immutable Blob).
  2. Volume Shadow Copies (Windows-only) – attackers run vssadmin delete shadows /all; enable previous “shadow protect” created before 06 May and scan for offline alias backups.
  3. File-based backups for database servers – daily mysqldump | xz or PostgreSQL WALs pushed to rsync.net (ZFS snapshots retain longer intervals).

4. Other Critical Information

• “Double-Tap” offline breaker: the ransomware executes immed after encryption a privileged command that mkfs.ext4 –F on physical partitions for Oracle ZFS and similar SAN mounts where XFS is used. Ensure you detach block-device backups during infection window.
• Egress blackhole guidance: operators phone-home through encrypted WebSocket on ports 8080/8443 but auto-fallback to Cloudflare Workers domain fronts using subdomain entropy .bashred-red[.]workers-dev. tls-dump SNI “first kilobyte always 0x62 0x61 73 68 72 65 64” aids IDS signatures.
• Script fingerprint: dropped encrypter shell script starts with the literal “#RedBashNull” shebang, follow-on LZMA-XZ packed Go binary signature BASH.RED-G0.

Final Notes
Organisations that prioritised logging into centralized SIEM, used Wazuh OSSEC agents with file-integrity-monitoring (FIM) rules against /usr/local/bin/ changes and SSH/authorized_keys integrity, and already enforced MFA can typically cut recovery time to <1 hour per host via full-disk restore.