Technical Breakdown – BDKR Ransomware (.bdkr)
1. File Extension & Renaming Patterns
• Confirmation of File Extension:
Affected files receive the verbatim suffix .bdkr.
Example: Financial_Q3.xlsx becomes
Financial_Q3.xlsx.bdkr.
• Renaming Convention:
The malware prepends a hard-coded actor email and a pseudorandom UID that uniquely identifies the victim, separated by underscores:
[locker_email]_[VictimUID]_[OriginalName].bdkr
Real-world sample:
lockhelp@onionmail[.]org_D1A2F03F_archived.zip.bdkr
2. Detection & Outbreak Timeline
• First Public Submission: March 2023 on ID-Ransomware & VirusTotal.
• Major Spike: Mid-April 2023—used opportunistic campaigns after exploit code for CVE-2023-27515 was posted.
• Still Ongoing: As of today the loader and cypher module continue to be modified every 2–3 weeks to evade detection.
3. Primary Attack Vectors
| Vector | Typical Delivery / Exploit Details |
|—|—|
| SMB & RDP brute-force | Default & reused passwords; slammed over port 445 (SMB) and 3389 (RDP). |
| ProxyNotShell chain | CVE-2023-23397 & CVE-2023-28310 in unpatched Exchange servers. |
| Adversary-in-the-Middle (AiTM) phishing | OAuth-phishing leading to MFA bypass and lateral BitLocker detonation. |
| Third-party MSP tooling | Malicious updates to legitimate remote-management binaries (AnyDesk, Atera); seen April–June 2023. |
| Legitimate Windows utilities | Living-off-the-land (LOLBins): PowerShell/WMI scheduled-tasks for deployment and WMI for credential harvesting.