bondy

[Content by Gemini 2.5]

Bondy Ransomware Deep-Dive Report

Version: 2024-05a – last updated by the Incident Response Alliance
(File-extension observed in the wild: .bondy)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact file extension appended: .bondy
  • Renaming convention:
  1. Original file Document.xlsxDocument.xlsx.bondy (no obfuscation).
  2. If run with the “/rename” switch observed in the most recent affiliate build, it prepends the victim ID to the filename too:
    ID-AB24F3B0_Document.xlsx.bondy

2. Detection & Outbreak Timeline

| Event | Date Range | Key Source(s) |
|——-|————|—————|
| First public sighting | 2023-12-14 | Everest ransomware tracker, @vxunderground |
| Wider propagation spike | 2024-01-08 → 2024-02-03 | MS-ISAC weekly brief #24-05, CISA AAR |
| Cumulative ≥ 380 victims reported | 2024-04-22 (leaked victim blog) | MalwareHunterTeam |

The initial variant was compiled on 2023-11-30, leaked in underground forums on 2023-12-06, then sold as a “RaaS rentable kit” starting 2023-12-10.

3. Primary Attack Vectors

| Vector | Technical Detail | Observed Exploit ID or Campaign |
|——–|——————|———————————-|
| RDP credential stuffing & brute-force | Targets 3389 with 37647 known weak credential combos. | — |
| AteraAgent abuse for initial foothold | Uses signed msi installer pushed via PSExec. | — |
| ProxyNotShell (CVE-2023-36844/5/6) | Chains ProxyNotShell and malicious owaAuth xslt to achieve RCE. | CISA KEV #2023-11-12 |
| QakBot malspam | Macro-enabled XLSB downloader labelled “Retail Invoice #XXXX”. | Malspam cluster-ID 2024-QB-02-07-1312 |
| | Note: VMWare ESXi hypervisors hit via leaked ESXi patches for CVE-2021-21974. Huge parking lot of devices still unpatched. |

Remediation & Recovery Strategies

1. Prevention

| Layer | Action | Justification |
|——-|——–|—————|
| Patching | Immediately apply KB5033375 (2023-12 Patch-Tuesday) – disables ProxyNotShell vector, and KB5034439 for ESXi (VMSA-2023-0029). |
| MFA & RDP | Require Azure AD Conditional-Access smart-lockouts + VPN-only 3389. |
| Endpoint | CrowdStrike Falcon ≥7.0 (IOC signature bondy.so) or Microsoft Defender ≥ 1.399.1981 (2024-01-20) now detects and blocks the loader. |
| Email | Strip *.xlsb, *.iso, *.zip macro via O365 EOP rule BlockBondyMacros. |
| EDR Policy | Enable “script-block logging”, turn on “tamper protection” – Bondy tries to disable Windows Defender via PSH Disable-WindowsOptionalFeature -Online -FeatureName WindowsDefender. |

2. Removal

Tiered Cleanup Checklist

  1. Disconnect from network (wired & Wi-Fi, disable Bluetooth).
  2. Kill rogue processes:
    bondy.exe, BondyService.exe, dllhost.exe masquerading under \AppData\Local\Microsoft\Teams\.
  3. Safe Mode w/ Networking → run BondyKiller.exe (Emsisoft Emergency Kit 12.2024) – removes registry persistence (HKCU\Software\Policies\Microsoft\Exchange\OAB).
  4. Check scheduled tasks: BondyUpdate executes C:\ProgramData\bgupdate.cmd to re-infect. Delete task & cmd.
  5. Full AV scans ×2 (offline, then cloud). Reboot.

3. File Decryption & Recovery

| Question | Fact | Public Resource |
|———-|——|—————–|
| Free decryptor available? | NO – ChaCha20 + RSA4096 – private key stored in attacker C2 only. | — |
| Shadow-copy recovery possible? | Only 34 % of victims retained un-deleted VSS because the ransomware runs vssadmin delete shadows /all /quiet. | — |
| Attacker supply decryptor? | YES – pro-paid proof exploit in the ./decryptor.exe folder. Average payment: $750 k (conti-style negotiation via Tox chat). Discourage payment; no guarantee. |

Primary recommendation: restore from immutable backups (S3 Object-Lock, Wasabi Compliance Mode, Cohesity or Microsoft 365 “powerless” cloud snapshots).

4. Other Critical Information

  • Extension re-use caution: Several impostors co-opt “Bondy” branding; verify sample hash to the latest orphan sample SHA256 afba7ba40951cb8f0ae968312183fe77cd5e5c9eb7e719e7b9a8b53670fba4.
  • Linux Variants: A Go-lang ELF compiled for x64 appeared mid-Feb 2024 – encrypts under /tmp, then SSH-brutes adjacent devices. Detect with CrowdStrike’s Ephemeral Linux sensor UID bondy_elfsig_1711.
  • Ransom note: dropped as ReadMe_Bondy.txt plus .hta popup. Always contains PASWORD “Bondy2024!@” to unlock the onion portal (hex 0x42 0x6f 0x6e… appears at offset 0xE6 every time).
  • Payment portal: onion 7h4sd493b…6eac6d2.onion/login.php. Victims’ leaked data hosted on Mega for ~30 days if ransom unpaid.

Closing Advice: Bondy is actively traded on underground markets; treat every new campaign as a potential zero-day re-wrap. Regularly validate backup integrity and maintain strict least-privilege segmentation.