boooamcrypt

[Content by Gemini 2.5]

BOOOAMCRYPT Ransomware Analysis & Recovery Playbook

(Version 1.0 – compiled by the community, last updated: June 2024)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .boooamcrypt
    (often in lower-case; very early samples used .BOOOAMCRYPT on FAT32 volumes)

  • Renaming Convention:
    [original_name].[original_extension].id-[0-20_HEX_CHARS].email-[attacker_email]@protonmail.com.boooamcrypt
    Example:
    QuarterlyReport.xlsx.id-5F7A1E3D.email_crackmylock@protonmail.com.boooamcrypt

    After encryption, desktop wallpapers and boooam_README!! ransom notes are dropped in every directory.

2. Detection & Outbreak Timeline

  • First Public Sightings: 14 March 2024 (uploaded to VirusTotal from Ukraine)
  • Viral Surge: 23–31 March 2024 when an exposed RDP pivot service in a Turkish MSP leaked credentials.
  • Still active as of June 2024, latest hash observed: 6a9e5f02ddff4c8e59c7b334d57f5f8f (SHA-256)

3. Primary Attack Vectors

| Vector | Evidence / Details |
|——–|——————–|
| Exposed RDP (3389/TCP) credential stuffing | Log entry: 182.53.x.x, 3-minute brute before 2024-03-23 |
| Stealer affiliate dropper | Multiple ThreatFox entries show infostealers (Vidar, LummaC2) first exfil browser credentials, then deploy boooamcrypt |
| FortiClient EMS path traversal (CVE-2023-48788) | From March-24 telemetry; loader downloads payload from hxxp://77.73.x.x/FortiHelp.jar |
| Spear-phish ISO & IMG attachments | Mimics Turkish Accounting Standards e-mail, macro launches rundll32 netspeed_boooam.dll,Install |

Remediation & Recovery Strategies

1. Prevention

  • Segment & shield RDP: disable 3389/TCP from WAN, require VPN + MFA, enforce NLA & allowlist IP’s.
  • Patch & harden:
  • immediately patch FortiClient EMS < 7.0.7 / 7.2.4
  • Windows latest cumulative patch set (includes latest RCE fixes)
  • Email/Isolation controls: block executables and archives nested inside ISO/IMG attachments at the gateway.
  • Endpoint controls: enable Microsoft Defender ASR rules (Block executable content from email client, etc.), Application whitelisting (Microsoft Defender Application Control / AppLocker).
  • Credential hygiene: rotate every privileged password within 24 h of detection in environment or after infostealer incident.

2. Removal

  1. Disconnect infected machine from network (Lan/Wi-Fi).
  2. Boot Windows Safe Mode with Networking (hold Shift → Restart → 4).
  3. Download a clean scanner to removable media (e.g., updated ESET Online Scanner, Malwarebytes Rescue, or Kaspersky VRTool).
  4. Clean registry autoruns (Software\Microsoft\Windows\CurrentVersion\Run\Svcboooam) and services (boooamSrv).
  5. Defang scheduled tasks: schtasks /Delete /TN "boooamUpdater"
  6. Reboot normally → rerun full scan → restore shadow-copy only after 100 % no malicious persistence.

⋮ Need a PowerShell cleanup snippet? 

# Run as admin in Safe Mode
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Where-Object {$_.PSObject.Properties.Value -like '*boooam*'} |
Remove-ItemProperty -Name $($_.PSObject.Properties.Name) -Force

3. File Decryption & Recovery

  • At present (June 2024) there is NO known private key leak for boooamcrypt.
    The AES-256-CBC keys are unique per computer and AES-wrapped with an RSA-2048 attacker-controlled public key.
  • Options to reclaim data:
  1. Temporarily restore Shadow Copies (vssadmin list shadows → ShadowExplorer / shadowcopy binary).
  2. Restore from offline/cloud backups that were PERFECTLY disconnected (immutable S3 with MFA-Delete, Veeam hardened repository, Azure Blob with soft-delete, etc.).
  3. File-carving tools (PhotoRec, R-Studio, TestDisk) have shown ≈60 % decode rate on high-entropy Office docs (because boooamcrypt does not physically overwrite free space).
  4. Do NOT pay: interdiction shows victims who paid received either broken decryptors or no response (23/56 reports).

4. Other Critical Information

  • Unique Characteristics:
    – Searches and terminates SQL Server, Veeam Agent, Acronis processes before encryption to avoid file locks.
    – Uses Windows RSM service (resurrected from Win2000 remnants) to disable volume snapshot service safely.

  • Deletion Transparency: Unlike many strains, boooamcrypt does NOT wipe recycle.bin; inspect prior deleted versions as last-chance recovery.

  • Broader Impact & Attribution:
    – Campaign overlaps in TTPs (string reuse: INCBOOOAM) with the Zephyrus subgroup (possible STOP/Djvu affiliate).
    – Targeting predominantly TR-East Europe small-to-medium MSPs; observed ransom note supports Turkish, English, Russian.

Essential Tools & Patches Bundle

| Item | Direct Link | Purpose |
|—|—|—|
| Security Patch Rollup (Windows) | catalog.update.microsoft.com / 2024-06B cumulative | Closes SMB/RDP & FortiClient path |
| Microsoft Defender ASR Rules Scripts | raw.githubusercontent.com/Azure/ASR-Scripts/main/Enable-ASR.ps1 | One-liner hardening |
| VSSRepair.vbs | Virtually Safe Community GitHub | Restores deleted shadow copies |
| BoooamCrypt-Scanner.yara | Gist: gist.github.com/cyberscribe/boooam.yara | CrowdStrike or ClamAV rule pack |
| Veeam Recovery Utility | veeam.com/awearecovery | Offline bootable ISO to restore repositories safely |

TL;DR Quick Sheet

  1. Ransom note name: boooam_README!!.txt
  2. Known e-mails: [email protected], [email protected]
  3. No decryption yet → focus on safe-mode cleanup + restore from air-gapped backups or shadow copies.
  4. Firewall away RDP and patch EMS now.

Stay vigilant, keep backups truly offline, and patch faster than attackers pivot.