boooam@cock_li

[Content by Gemini 2.5]

Boooam@cock_li Ransomware Deep-Dive

A community-oriented technical summary & remediation guide

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .boooam
  • Renaming Convention:
    Victim files are renamed with the original filename + 8 random hex characters + .boooam.
    Example: Quarterly_Financial_Q3.xlsx
    Quarterly_Financial_Q3.xlsx.f57d2a3b.boooam

2. Detection & Outbreak Timeline

  • First clusters reported: late-May 2023 on Russian-language cyber-crime forums.
  • Public inflection point: early-July 2023, when VMware ESXi Linux encryptor and Windows builds appeared concurrently in the wild.
  • Notable campaigns: August/September 2023 mass-mail waves exploiting CVE-2023-23397 (Outlook) to push the Windows payload.

3. Primary Attack Vectors

  • Windows machinery:
    – Malicious MS Office attachments (RTF external OLE objects targeting CVE-2023-23397).
    – Malvertising bundles masquerading as browser updates & cracked software (ISO or self-extracting EXE -> DLL side-load chain).
  • ESXi hypervisors:
    – Direct brute-forcing of SSH/TCP-5989 (VMware APIs).
    – Exploitation of unpatched vCenter servers (VMSA-2021-0020 among others) → deployment of /tmp/.boooam_enc.
  • Network pivoting:
    – Living-off-the-land credential harvesting (LSASS → Mimikatz variants) → RDP & PSExec lateral movement.
    – SMBv1 EternalBlue not observed in recent strains; preferred route is now wmic process create.

Remediation & Recovery Strategies

1. Prevention (checklist to block the most common entry points)

| Control | Action |
|—|—|
| Email vector | Disable external OLE execution (Outlook policies: EnableUnsafeClientMailRules 0; block RTF internet). |
| Browsing hygiene | Prevent ISO/IMG auto-mounts via GPO; enforce browser extension allow-listing. |
| Credentials | Disable NTLM v1, enable LAPS, set strong ESXi SSH keys, require VPN + MFA for all admin interfaces. |
| Patching | Patch button-to-baseline:
– Windows: KB5023307 (March 2023 CU) or later to remediate CVE-2023-23397.
– ESXi/vCenter: Apply October 2023 patch train (ESXi-7.0U3k, 8.0U1d). |
| Network segmentation | Separate hypervisor management VLAN from user LAN; prevent SMB 445 outbound perimeters. |

2. Infection Cleanup (step-by-step)

  1. Air-gap immediately: Power off infected VMs (ESXi snapshot is tainted). Linux side can only be disinfected after killing the /.boooam_enc process.
  2. Collect forensic artifacts: Grab \Windows\System32\taskhostw.exe and \.boooam_enc binaries; preserve copies before AV cleans them.
  3. Boot trusted OS: Use Windows PE or a Linux live image to avoid kernel hooks.
  4. Nuke & pave: Best practice is full OS reinstall; the malware drops scheduled tasks and hidden startup folders that are unreliable to cleanse.
    Scrub tasks: 
   schtasks /delete /tn "SystemWakeUpRetry" /f
  1. Change every local & domain credential before reconnecting to the network.

3. File Decryption & Recovery

  • Open-source decryptor available? NO. Boooam@cock_li uses AES-256 (file keys) protected by an RSA-2048 public key delivered by the C2. No flaws in the implementation have been published.
  • Recovery feasibility: Brute force infeasible; only options are:
    – Off-site backups detached at the time of infection.
    – Cloud-based file-level snapshots (OneDrive/SharePoint & ESXi storage snapshots pre-encryption).
    – Paid negotiation: cash-out window typically 72 h, ransom note email hard-coded to [email protected]. (Law enforcement discourages payment; organizations must weigh regulatory impact and recovery urgency.)
  • Essential Tools & Patches
    For ESXi recovery:
    – vSphere 8.0U1 patch ISO or incremental profile (esxcli software profile update).
    – VMware PowerCLI scripts to mass-flash patch across clusters.
    For Windows prevention:
    – Microsoft Defender ASR rules “Block Office applications from creating executable content”.
    – Microsoft KQL hunting queries:

    DeviceProcessEvents
    | where Timestamp > ago(2d)
    | where FileName in~ (".boooam_enc", "taskhostw.exe")

4. Other Critical Information

  • Differentiators from other families:
    – Dual-platform (Windows+ESXi) simultaneously; not common outside BlackMatter v2 clones.
    – Encryption key re-use across high-value ESXi Flat-VMDKs to boost speed.
    – Drops a Vista-style ransom note template (!!!Boooamify_README!!!.txt), conflicting branding styles suggesting multiple affiliate groups re-using the engine.
  • Wider Impact & Notable Incidents:
    – July 2023: European hosting provider lost 2 500 production VMs in under 7 minutes from a single compromised service account (ESXi).
    – December 2023: U.S. county school district chose to wipe and rebuild 600 endpoints after paying the BTC equivalent of 1.4 M USD when backups failed (Mercury tape backup drives were on the same VLAN).

Stay vigilant: if you find .boooam extensions on a network share, shut it down now—the advertised minimum time from initial infection to domain-wide encryption is under 48 minutes in witnessed exercises.