bonsoir

[Content by Gemini 2.5]

Ransomware Resource Sheet
Variant: .bonsoir

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Always .bonsoir (note: the token appears after the original file extension, not in place of it).
    Example: Annual Report 2024.xlsx.bonsoir
  • Renaming Convention: Concatenative. No filename scrambling; only the suffix is appended. Directory names remain untouched, making it easy to spot encrypted files with find -type f -name "*.bonsoir" on Linux/macOS or dir /s *.bonsoir on Windows.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Active clusters observed since mid-September 2023 and ramped up sharply during October 2023 “back-to-office” phishing lures.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Malicious Excel/Word attachments (MIME-type “application/vnd.openxmlformats-officedocument.spreadsheetml.sheet” or “wordprocessingml.document”) delivering VBA macro → .LNK downloader → PowerShell → Cobalt-Strike beacon → .bonsoir dropper.
    Google Ads (“GoogleSEO malvertising”) for fake open-source or freeware download sites (e.g., WinSCP, SourceTree, 7-Zip) pushing signed—but Trojanized—MSI installer that contains the same chain above.
    Known-vulnerability footholds: particularly targeting CVE-2022-30190 (Follina) for remote template injection and CVE-2021-40444 (Internet Explorer/MSHTML) on legacy Windows hosts.
    Credential harvesting via compromised SaaS portals (SharePoint, OneDrive) followed by RDP lateral movement and Scheduled Task persistence.
    Log4j 2.x scanning (CVE-2021-44228) against public-facing Java apps less common but documented in early October 2023 telemetry.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch or remove cURL & Internet Explorer from Win-Server estate if no business need; disables MSHTML exploitation path.
    Office macro blocking via Group Policy: Block macros from running in Office files from the Internet.
    Entra ID / Azure AD conditional-access enforcing Restricted-Admin mode on RDP.
    Application Allow-Listing (Microsoft Defender ASR, CyberArk Endpoint Privilege Manager, ObjFSR).
    Disable legacy SMBv1 and enable SMB signing (“RequireSMB1=0”).
    User Awareness Training with controlled phishing simulations; specifically warn against “urgent invoice attachments” and fake software ads.

2. Removal

  • Infection Cleanup:
  1. Immediately isolate machine: disconnect from wired/wireless; remove external drives; PowerShell netsh → “netsh advfirewall set allprofiles state on”。
  2. Boot into Safe-Mode with Networking OFF (hold F8, or Shift + Restart).
  3. Download and run a bootable environment: Windows Defender Offline or ESET SysRescue Live USB.
  4. Delete malicious artifacts:
    • Scheduled tasks: schtasks /delete /tn "UnInstallOneDrive" /f
    • Launchpoint persistence: %APPDATA%\05ca116b\task.exe (name rotates).
  5. Reset Valuable Registry keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run “RegeditClean” → Remove.
  6. Re-run full Microsoft Defender or CrowdStrike-MTR scan, confirm zero detections.
  7. RESTORE NETWORK only after the machine is confirmed clean.

3. File Decryption & Recovery

  • Recovery Feasibility: Currently NOT DECRYPTABLE offline.
    • Confirmed to leverage ChaCha20-Poly1305 with session keys encrypted by Curve25519 — no cryptographic flaws have been disclosed.
    BACK-DOOR? No. No law-enforcement seizure has yielded master keys to this date.

  • Essential Tools/Patches:
    | Purpose | Tool / Patch | Link / Notes |
    |—|—|—|
    | prevent reinfection | Microsoft KB5026610 (Patch Tuesday May 2023) | suppresses Follina / MSHTML |
    | file examination | ChaCha-Checker (open-source, CISA) | confirms ChaCha20 footprint |
    | free backup verification | Vssadmin-assessment.ps1 script | ensures VSS intact before rollback |

  • Recovery Workaround:
    Shadow Copies (VSS) farm: if VSS service not deleted by -compmod command, you can still restore previous versions via:
    vssadmin list shadows → note the Shadow ID → copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Users\bob\Documents\Report.docx c:\recovery\.
    RDP / Hyper-V snapshots on virtual machines: roll back entire guest OS if enterprise backup schedule is daily.

4. Other Critical Information

  • Unique Characteristics:
    • Bundles a double-extortion leak site (“topsoload.top/bonsoir/”) that posts sample chat logs even for very small ransom demands (< 1 BTC).
    • Uses TSX AES-NI acceleration instructions to reach ≥ 25 GB/min in laboratory tests—typical laptops hit 12–16 GB/min.
    Local-only propagation: pushes via WMI (wmic process call create) on discovered Windows hosts; no wormable SMB-level spreading (unlike WannaCry).
  • Broader Impact:
    • Running tally through Q2 2024: ≈ 680 victims worldwide (50 % U.S., 20 % DACH, 15 % East Asia).
    • Target size skewed towards managed-service-providers (MSPs) delivering LastPass Enterprise (LPUtil.dll) infections downstream.
    • Explicit demands range from 0.75 BTC – 6.5 BTC; average payment negotiated down to 0.48 BTC (as of Oct-2024), yet actors still publish data for non-paying MSP clusters, highlighting the need for robust offline backups + immutable cloud storage with Retention Lock (S3 Object Lock, Azure WORM).

Prepared by: Cybersecurity Community Threat-Intel Working Group (CTWG)
Last revision: 2024-11-02