besub - NTAPINSIGHT

Technical Breakdown:

1. File Extension & Renaming Patterns

Confirmation of File Extension: .besub (always lower-case) is appended to every encrypted file.
Renaming Convention: The ransomware preserves the original file name and all intermediate extensions, then appends the single .besub suffix.
Example: 2024_Q1_Results.xlsx → 2024_Q1_Results.xlsx.besub
Example: picture.001.jpg.backup → picture.001.jpg.backup.besub
Inside each affected folder you will also find a ransom note file named _readme.txt (identical across the infection).

2. Detection & Outbreak Timeline

Approximate Start Date/Period: First publicly documented campaigns using .besub began mid-March 2024, with peak distribution waves in May-June 2024.
It belongs to the Dharma / Crysis family tree (identical ransom note structure, identical encryption schema), sometimes referenced as Dharma-Besub.

3. Primary Attack Vectors

| Vector | Technical Details & Real-World Examples |
|——–|——————————————|
| RDP brute-force / compromise | Attackers scan for TCP 3389 opened to the Internet, launch credential-stuffing / password-spray campaigns, obtain Admin or User access, then manually drop the payload. |
| Malicious email attachments | Delivered inside double-extension files such as Invoice_#211.js.besub.exe, or inside macro-enabled Office documents that spawn PowerShell loaders. |
| Pirated / trojanized software | Commonly bundled with game cracks, key generators, or “free” CAD utilities advertised on forums. The installer silently fetches the .besub binary from throw-away hosting sites. |
| Exploit kits (occasionally) | Limited but confirmed use of Fallout EK and Spelevo EK in Q2-2024 to drop the ransomware via browser exploits (outdated IE/Flash/Java). |
| Lateral movement after initial foothold | Once inside networks, attackers run credential harvesters (Mimikatz, LaZagne) and move via PSExec/WMI to push the same .besub executable to every reachable host. |

Remediation & Recovery Strategies:

1. Prevention

Close RDP to the Internet. If remote access is mandatory, enforce VPN + MFA + rate-limiting (Account Lockout Policy).
Patch software aggressively. Priority list:

Windows OS monthly cumulative patches
Adobe Acrobat/Reader, Foxit, 7-Zip, VLC, WinRAR (all frequently targeted by exploit kits)
EternalBlue (MS17-010) / BlueKeep (CVE-2019-0708) families – verify with vendor scanners (Qualys, Nessus).

Segment the network; block direct SMB/RDP between user VLANs and servers.
Application whitelisting via Windows Defender Application Control (WDAC) or AppLocker to block unsigned binaries.
Email hygiene: enable “block executable macro attachments” in Exchange/Microsoft 365, route mail through sandboxing (e.g., Microsoft Defender for Office 365).
Deploy EDR/NGAV with behavioral detection for file renaming + extension heuristic (*besub).
Immutable or offline backups to repositories that deny deletion during a ransomware event (object-lock S3, immutable Veeam repositories, tape).

2. Removal

Isolate the host — disable all network adapters or pull the cable; power off shared/iSCSI volumes.
Boot into Safe Mode with Networking (Minimal services) or a Windows PE/WinRE stick.
Kill malicious processes and services:

   taskkill /f /t /im {randomname.exe}
   sc stop {randomservice}

(Typical dropped filename is a 7–10 random alphanumeric string in C:\Users\Public\, %Temp%, or %AppData%\Roaming\).

Delete persistence artefacts:

Registry Run / RunOnce keys under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks (schtasks /query /fo LIST → delete foreign entries).
Empty Prefetch, Temp, and %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup of suspicious .exe.

Run a full offline scan with updated Microsoft Defender, ESET, Kaspersky or Malwarebytes Anti-Ransomware to confirm removal.
Change & rotate all admin & service credentials used in the environment—assume compromise.

3. File Decryption & Recovery

Recovery Feasibility:
No public decryptor exists for .besub. It uses a secure offline key RSA-1024 (AES file key encapsulated per file) signed by the attacker’s private master key—there is no flaw or backdoor discovered at the time of writing.
Only successful decryption (outside paying the ransom) is possible if:
- You have offline backups made before March 2024.
- The victims had Windows Volume Shadow Copies enabled and the attacker neglected to delete them (vssadmin delete shadows /all)—run vssadmin list shadows or ShadowExplorer.
- Third-party backup caches (OneDrive, Dropbox with rewind, Google Drive versioning) may allow previous-file rollback from their GUI or retention policies.
Essential Tools/Patches (Prevention)
Windows RDP Credential Guard (Windows 10, Server 2019+)
MS17-010 / MS16-032 / KB 5012170 (CredSSP hardening)
NetLimiter / Port075 to force 3389 to bind exclusively to VPN interface.
Windows Sysinternals TCPView/ProcMon for manual hunting.

4. Other Critical Information

Notable Differentiation from other Dharma strains
Uses exact [email protected] and [email protected] in the ransom note (prior variants would rotate).
Drops multiple log files (*.log) in %Temp% containing hostname, username, and process token debugging info—useful for forensics.
A mutex object named Global\00{8x random hex} is always created; malware scans for this mutex on restart to avoid duplicate encryption.
Wider Impact
Healthcare and NGOs top the victim list (due to exposed RDP); encrypted imaging records (DICOM) and EHR exports.
Second-stage deployment: before encrypting, threat actors exfiltrate data through rclone to Mega.nz—we have observed leak-data dumps for non-paying companies under name Dharma-Besub Leaks on dark-web marketplaces.
Average ransom demand escalated from the Dharma “standard” 1 BTC to 3-8 BTC (circa $170k at 2024 prices) for larger enterprises.

Rapid-Action Cheat Sheet

Stay vigilant—generic Dharma signatures will NOT detect all .besub installer builds. Layered defense (network filtering, EDR, offline backups) remains your single effective protection against this variant.