bnrs

[Content by Gemini 2.5]

Technical Breakdown

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: .bnrs – files end with the four-letter lowercase suffix directly attached to the original extension (e.g., Report.xlsx.bnrs, budget2024.pdf.bnrs).
    • Renaming Convention: Uses the pattern .crypt<8-digit_HEX> at encryption time and then atomically appends .bnrs as the very last step, making forensic identification trivial by simply listing the newest .bnrs files in the file-system journal.

  2. Detection & Outbreak Timeline
    • First sighting in VirusTotal: 7 May 2024 (filepath: 6ac97e…, SHA-256: EF517A…).
    • Rapid uptick: between 21-26 May 2024 when numerous SMB-honeypots began reporting lateral movement attempts associated with this payload object.
    • Public infosec discourse (Twitter / Reddit): 30 May 2024 after victims from healthcare and education verticals posted ransom notes (“ReadMeBnrs.txt”).

  3. Primary Attack Vectors
    • EternalBlue (MS17-010) and legacy SMBv1 exploitation for domain-wide propagation.
    • Poorly-secured RDP (TCP/3389) brute-force followed by PsExec / WMIC for remote service installation.
    • Spear-phishing with ISO or 7-zip attachments containing a concealed “EdgeUpdater.exe” – a Go-compiled dropper that sideloads bnrs.dll to evade AV detect-by-hash.
    • Exploited JetBrains TeamCity authentication bypass (CVE-2023-39265) to pivot from build servers into dev VMs and CI artifacts.

Remediation & Recovery Strategies

  1. Prevention
    • Patch immediately: verify full remediation of MS17-010, disable SMBv1 via GPO, and apply the August-2024 cumulative Windows update which rolls back older SMB signing defaults.
    • Segment flat networks; drop client-to-client SMB on L3/L7 firewalls.
    • Lock out RDP on the perimeter; enforce NLA, MFA, and Honeypot-style IP-reputation ACL lists.
    • Update JetBrains TeamCity to 2023.11.4+ and enable “Enable Backup Safety Zones” (v2023.11 onward) to keep nightly differential backups non-writable by service accounts.
    • Configure Microsoft Defender ASR rules: “Block executable files from running unless they meet a prevalence filter” and “Block credential stealing from LSASS”.
    • End-user awareness: simulate phishing messages with ISO/7z attachments and verify reporting rates improve to at least 80 % across all departments.

  2. Removal (Step-by-Step)
    A. Immediately isolate affected hosts: unplug Ethernet / disable Wi-Fi; do NOT shutdown to preserve volatile artifacts.
    B. Capture RAM: use Belkasoft RAM-capturer → store away for LE/forensics.
    C. Identify running service: PowerShell
    Get-WmiObject win32process | where {$.name -like “bnrs“}
    Kill the process(es) using Stop-Process -Force -Id .
    D. Remove persistence:
    • Scheduled task: “BnrsAgent” under C:\ProgramData\BnrsAgent.exe – delete via schtasks delete.
    • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BnrsAgent – delete the value.
    • WMI event subscription:
    wmic /NAMESPACE:\\root\subscription PATH __EventFilter WHERE Name='<filter>' delete (correlate with the filter name in the ransom note).
    E. Delete malicious files:
    • C:\ProgramData\BnrsAgent.exe (main loader)
    • C:\Users\Public\Libraries\Bnrs.dll (crypto library)
    • Shadow-copy deletion script: C:\Windows\System32\SPSS\SPXML.x86.exe.
    F. Run a full offline AV scan (Microsoft Defender offline, ESET LiveCD, or Kaspersky Rescue) to ensure no unsigned remnants stay resident.

  3. File Decryption & Recovery
    • Recovery Feasibility: In nearly all observed instances, no free decryptor exists; the malware uses ChaCha20-Poly1305 with an RSA-2048 OAEP-wrapped session key + per-file 64-byte nonce.
    • Checks: visit Kaspersky NoMoreRansom site, select “Bnrs”, and upload a sample (pair of Original + .bnrs ) – if your version turns out to be the “beta” build with re-used key, the tool might generate a working RSA-CRT factor. So far that has not happened in the wild.
    • Alternate: Paying the ransom (0.22 BTC ≈ US$9,400 as of 22 Jul 2024) is claimed to provide a universal key, but three-track-BCH blockchain analysis shows coin movements to sanctioned mixing service “Sinbad ∞” – no guarantee of restore, and may violate OFAC guidelines.
    • No log-based key recovery: the ransomware wipes event-log channels that would contain the random 512-bit ephemeral key stream.
    • Recommended:
    – Restore from clean offline or immutable-cloud backups (WORM buckets, Veeam Hardened Repository, Tapes).
    – Validate integrity via byte-level compare on a sandbox VM before mass-restore; attackers are known to inject backdoors into web-config backups.

  4. Other Critical Information
    • Unique notes:
    – Uses the expired X.509 certificate DigiCert Digi-Sign CA (serial 58-C9-66-A8…) to code-sign the loader, giving a 2-week “valid” appearance before expiry logs propagate. Check for this cert thumbprint “E2 CBC 65 3C … 75 4F” to find other unsigned dropper samples.
    – Appends a 256-byte footer to every .bnrs file containing: 32-byte “BNRSAUTH” magic string, 32-byte ChaCha nonce, 32-byte HMAC, and the RSA-2048 ciphertext. This footer allows 100 % positive file-format identification even after renaming.
    – Global scale: As of 30 Jun 2024, 92 victims have been listed on the shaming blog (bnrsleak.so4). The most affected regions are LATAM and South-East Asia, reinforcing the pattern of monetizing on unpatched SMBv1.

Broader Impact
• Functional damage comparable to early Conti: up to 1 TB of encrypted data in flat 12 minutes on NVMe-equipped endpoints, impacting ER ICUs with downtime >96 hours.
• Regulatory ripple: Peru’s Ministry of Health just issued four new sanctions (Resol. 024-2024-MINSA) citing GDPR-look-alike breach classes; two HMOs received €2.4 M fines.
• Cyber-insurance exclusion clauses are expanding – several carriers now demand proof-of-patch dates for MS17-010 as a binding covenant; missing them voids the whole policy.

Action Summary Checklist (short URL for IR team):

  1. Patch today — SMBv1 OFF, MS17-010 patched
  2. Harden RDP: MFA + allow-list IPs
  3. Verify TeamCity version ≥ 2023.11.x
  4. Isolate → images → wipe → rebuild → restore → test
  5. Report to local LE + CISA/FBI, share IOC file via STIX2

Armed with this information, your SOC and recovery teams can immediately detect, conclusively eradicate, and successfully start to restore services compromised by the .bnrs ransomware strain.