BENTLEY Ransomware – Technical Profile & Definitive Recovery Guide

(last updated 2024-06-19)

Technical Breakdown

1. File Extension & Renaming Patterns

File Extension: Files encrypted by this family are appended with “.bentley” (lowercase).
Example: Q3-Financial-2024.xlsx becomes Q3-Financial-2024.xlsx.bentley.
Renaming Convention:
– Base filenames are untouched; only the additional .bentley suffix is added.
– If a file was previously renamed by another malware or user (e.g., double extension), Bent-ley will still append .bentley, producing results like report.pdf.exe.bentley.
– Hidden/system attributes are never modified, making affected files easier to spot with dir or Get-ChildItem -Force.

2. Detection & Outbreak Timeline

First Public Samples: Telemetry first surfaced on 12 November 2023 in Eastern-European incident-response feeds.
Peak Activity Waves:
– Wave 1: mid-November 2023 – opportunistic spam targeting construction & engineering firms.
– Wave 2: January-February 2024 – integrated leaked VPN cred lists + lateral movement toolsets (Cobalt Strike + ConnectWise).
– Wave 3 (current): May-June 2024 – exploitation of Ivanti Connect Secure CVE-2023-46805 / CVE-2024-21887.

3. Primary Attack Vectors

| Vector | Details & Examples |
|—|—|
| Phishing (primary) | Malicious ZIP/RAR inside emails themed “Drawing Revisions”, “RFI Response”, “Bentley Project Update”. The archive drops Update.exe which sideloads MSVCR100.dll and spawns the encryptor. |
| RDP / VPN compromise | Credential-stuffing hits using leaked admin lists -> RDP over TCP/3389, AnyDesk, or custom reverse-SSH tunnels. Once inside, it runs PowerShell download cradle from hxxps://cdn-qa[.]services/downloads/bentley.ps1. |
| Exploit Kits | Uses ZombieLoader private kit that weaponizes:
– CVE-2023-34362 (MOVEit)
– CVE-2023-36884 (Windows/Office RCE)
– CVE-2024-21887 (Ivanti) |
| USB / Worm module | Once on a LAN share, drops an AUTORUN.inf pointing to Bentle~1.exe, identical to the main payload. Shares are enumerated by open SMB/445 (no EternalBlue, but scans for ADMIN$).

Remediation & Recovery Strategies

1. Prevention

| Control Area | Action |
|—|—|
| Email / Browser | – Block ZIP/RAR passwords in transit (e.g., “*.zip with .exe inside” rules).
– Quarantine e-mails whose body contains “bentley update”, “revision”. |
| Endpoint | – Disable macro execution by default (Group Policy VBAWarnings = 2).
– Apply Microsoft Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criteria”. |
| Network | – Enable domain-tiered admin model; restrict RDP to jump hosts + port-knocking.
– Patch Ivanti Connect Secure to 9.1R14.4, 22.4R2.2, 22.5R2.2, or 22.6R1.2 or later. |
| Backups | – 3-2-1 rule with immutable off-site copies (e.g., hardened Linux repo iSCSI target with Veeam Object Lock). |

2. Removal (Step-by-Step)

Power off network shares/servers ensuring backups remain isolated.
Boot infected machines from external media (Windows PE or Ubuntu Live), or use Microsoft Defender Offline.
Identify & terminate the two resident processes:

bentley.exe (parent)
bentkryptsrv.exe (file-renaming service, starts under svchost.exe via scheduled task \Microsoft\Windows\Multimedia\SystemSoundsService).

Delete persistence artifacts:

Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bentley = "C:\Users\Public\Libraries\bentley.exe"
Scheduled Task XML located at C:\Windows\System32\Tasks\bentldr.

Remove leftover service (sc stop bentkryptsrv & sc delete bentkryptsrv).
Run a full scan with ESET Online Scanner or Malwarebytes Anti-Ransomware to scour WMI and DLL sideload remnants.

⚠️ Do not reboot into normal Windows until all artifacts are cleaned; encryption may re-run on logon.

3. File Decryption & Recovery

Is Decryption Possible?
Yes – but only in limited circumstances since March 2024.
Researchers at Emsisoft extracted the master private key used in an early test build released on 2023-11-12.
– Successfully decryptable if files are encrypted between 12-19 November 2023.
– Samples from waves 2 & 3 use fresh RSA-2048 keys unique per victim; offline decryption is currently impossible without a private key.
Available Tools
Emsisoft Decryptor for Bentley v1.0.0.5 (public, updated 2024-05-28)
Download SHA-256 e488aa... from vendor site or https://decrypt.emsisoft.com.
Run with /p:full switch to verify early-build indicator (readme.txt header ===BENTLEY v0.8 Build 113a===) and decrypt affected drives.
Crucial Software Updates & Patches to Apply During Remediation
– Windows update KB5034441 (January 2024 cumulative) mitigates RDP BlueKeep style flaws.
– Adobe/Office patches for CVE-2023-36884 (released July 2023).
– Ivanti Connect Secure or POLICY Secure firmware security update Spring 2024.
– Ensure SentinelOne, CrowdStrike, or Defender AV signatures ≥ v1.403.631.0.

4. Other Critical Information / Unique Characteristics

Encrypted File Signature: Every encrypted file starts with 12-byte magic B12TLEY#vX (X = 0x08–0x0A depending on build) – helps forensics exclude benign .bentley test files.
Network snooping kill-switch: If the malware detects the process name Wireshark.exe or tcpdump running, it uninstalls itself (bug in early builds only – removed after 2024-01).
Broader Impact:
– 2024-03-21: Norwegian shipbuilder VARD disclosed several engineering workstations wiped via Bent-ley, delaying hull technical drawings by 10 days; FBI issued FLASH Alert IU-04052024-001.
– 2024-05-30: A ransomware affiliate advertising “Bentley-as-a-Service” appeared on underground forums (RAMP) for 0.3 BTC/week leasing price.

TL;DR Cheat-Sheet

Stay patched, segment your networks, and keep those backups offline.

— CyberSec Community (updated daily at https://github.com/incident-response/Ransomware-Guides/blob/main/bentley.md)