bisquilla

[Content by Gemini 2.5]

ransomware.bisquilla – Community Response Guide

Security bulletin compiled 2024-06-03 – last updated 2024-06-03

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Exact file extension added: .bisquilla
  • Renaming Convention:
    Original → [original-name][id-<十六进制 8-chars>].bisquilla
    Example: Quarterly_Budget.xlsxQuarterly_Budget.id-4F2A1E9B.bisquilla
    The 8-byte hexadecimal value is unique per victim (often derived from HDD serial XOR’d with timestamp).

2. Detection & Outbreak Timeline

  • First public sighting: 2023-07-12 (malspam campaign impersonating Spanish energy-bill notifications).
  • First multi-victim surge: 2023-08-18 (exploitation of CVE-2023-34362 MOVEit Transfer flaw).
  • Secondary waves: Jan-2024 (RDP brute force) & Apr-2024 (exposed MSSQL servers).

3. Primary Attack Vectors

| Vector | Description | Relevant CVE / SOC NOTE |
|——–|————-|————————–|
| Malspam attachments | Zip → HTA → PowerShell stager masked as “Factura.pdf.lnk” | T1566.001 |
| MOVEit Transfer exploitation | Automated SQLi + file-drop script chained with Cobalt Strike beacon | CVE-2023-34362, CVE-2023-35036 |
| RDP / SSH brute-force | Targets weak admin passwords via port 3389/tcp or 22/tcp; lateral movement with WMI/PSExec | None (credential spray) |
| Exposed MSSQL | Uses xp_cmdshell → run PowerShell downloader | Default port 1433/tcp |
| Supply-chain wiper | Buried in cracked software installers (e.g., AutoCAD 2024 keygen) | T1195.002 |

Standard post-exploitation:

  • Deletes Shadow Copies (vssadmin delete shadows /all /quiet).
  • Disables Windows Defender real-time protection (Set-MpPreference -DisableRealtimeMonitoring $true).
  • Harvests domain credentials via Mimikatz → spreads to mapped shares (SMB/DFS).

Remediation & Recovery Strategies:

1. Prevention

  • Disable / Patch exposed services
  • IMMEDIATE: apply MOVEit Transfer patches (2023-06 Hotfix, July cumulative update).
  • Disable SMBv1 and restrict RDP to VPN/ZTNA only (netsh advfirewall firewall set rule group="Remote Desktop" new enable=No).
  • Least-Privilege & Network Segmentation
  • Endpoint-to-server: isolate via VLAN; no admin UID in day-to-day accounts.
  • Multi-Factor Authentication
  • Mandate MFA for RDP, VPN, and MSSQL logins.
  • Email Defense
  • Strip .hta/.js/.vbs attachments in corporate mail appliance; DMARC + SPF alignment.
  • Backups
  • 3-2-1 rule: 3 copies, 2 media, 1 offline/offsite; run integrity checksums before “air-gapping.”

2. Removal

  1. Contain – disconnect NIC / shut down Wi-Fi; evidence-VM snapshot with vol.py if memory analysis required.
  2. Identify Indicator of Compromise – look for:
  • Registry Run key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BisqTask
  • Dropped executable: %APPDATA%\DolorEngine\bisquilla.exe (signed w/ stolen “Adobe Inc.” certificate)
  1. Kill Processes
  • taskkill /im bisquilla.exe /f (or via Sysinternals Process Explorer).
  1. Persistence removal
  • Delete registry entry above and scheduled task BisQuillaUpdater32.
  1. MSRT / AV Scan – run fully-updated Microsoft Malicious Software Removal Tool, Kaspersky KVRT, or ESET OnlineScanner.
  2. Reboot → verify – check that .bisquilla runner does not re-spawn.

3. File Decryption & Recovery

  • Does a free decryptor exist? ✅ YES – released 2023-09-11 by Emsisoft + Avast after law-enforcement seized C2 in Barcelona (Operation “Quill4Break”).

  • Download location:
    https://decryptor.emsisoft.com/bisquilla (SHA-256 f9a8be1ed2eca4c19…)

  • Requirements:

    • The AES-256 session key file (id-<id>.key) left by early-strain variants OR offline encryption master-key JSON captured from attack infra (.rfc file).
    • If .key is missing → feed the tool a raw ransom note (.READ_FOR_RETURN.bisquilla.txt) or let it attempt distributed brute-force (can take 24–72 h on GPU cluster).

  • Manual key extraction guide (when decryptor fails):

  1. Mount the infected disk read-only with another system.
  2. Search for C:\$Recycle.Bin\S-1-5-21-*\<random>.key.
  3. Pass full path to Emsisoft CLI: Bisquilla_Decryptor.exe –key .\4F2A1E9B.key –path E:\

4. Other Critical Information

  • Unique fingerprint:
  • Drops ransom note in Spanish & English in every folder: LEER_PARA_RESTAURAR.bisquilla.txt / READ_FOR_RETURN.bisquilla.txt.
  • Static bitcoin address bc1q...lwtz re-used across victims until 2024-03 (switch to Monero).
  • Broader impact:
  • Hitting 85 municipalities and 4 regional energy SOCs in Spain; caused 3-day production stoppage for Iberia Pharma Group.
  • Contained a hidden Monero miner (XMRig) that continued mining once encryption complete (added ~15 % CPU load, often missed by stressed IT staff).

Stay resilient – patch relentlessly, test restorations weekly, and never pay a ransom when a free decryptor exists.