boost

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    This strain uses .boost as the final appended extension.
  • Renaming Convention:
    Files are renamed using the pattern
    original_name.ext.id-[unique-ID].[email].boost
    Example: invoice.xls becomes [email protected]

2. Detection & Outbreak Timeline

  • Approximate Start Date:
    First large-scale sightings appeared on 29 June 2021, with heavy distribution throughout July 2021. Attribution tracks to the DoppelPaymerMidas / ProLock genealogy rebranding into what is now generally called the “Boost ransomware family”.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Dridex / Emotet botnet → Cobalt Strike → Ransomware Deployment – typical infection spiral.
  2. CVE-2021-34527 (“PrintNightmare”), abusing the flawed Print Spooler to obtain SYSTEM privileges on Windows servers.
  3. EternalBlue (MS17-010) still used against legacy SMBv1 endpoints.
  4. RDP brute-force and credential-spray attacks leveraging lists bought from info-stealer marketplaces.
  5. Malicious ISO attachments in phishing mail containing macro-laden Excel launchers that attach to nssm.exe to run PowerShell stagers.

Remediation & Recovery Strategies

1. Prevention

  1. Patch aggressively:
    • Install KB5005030 or later Windows cumulative patch against PrintNightmare.
    • Remove or disable Print Spooler on domain controllers and servers that do not need to print.
    • Disable SMBv1 via Group Policy or PowerShell:
    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  2. Harden remote access:
    • Disable RDP directly on the Internet; use VPN + MFA.
    • Enforce Network Level Authentication (NLA) and strong password policies.
  3. Containerise email threats:
    • Block .iso, .img, and password-protected archive files via mail gateway settings.
  4. Application control & EDR:
    • Enforce Windows Defender ASR rule Block process creations originating from PSExec and WMI commands.
    • Deploy reputable EDR with behavioural detections (CrowdStrike, SentinelOne, etc.).
  5. Air-gapped backups:
    • 3–2–1 schema (three copies, two media, one off-line and off-site). Follow best practice backups to be non-domain-admin (Sophos Central SafeGuard, Veeam hardened repo, Azure immutable blob).

2. Removal

  1. Isolate the host immediately:
    • Disconnect Ethernet / Wi-Fi.
  2. Obtain memory & disk forensics (optional for legal chain-of-custody).
  3. Boot into Safe Mode (no networking) or WinPE.
  4. Manual cleanup checklist:
    • Kill the loader: taskkill /F /IM “cobaltstrike.exe” “nssm.exe” “svchost.exe” (double-check PID)
    • Remove persistence keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loadersvc
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunDropper
    • Delete leftover artefacts in %LOCALAPPDATA%\Temp and C:\Windows\System32\Tasks named with “midas”, “nsmgr”, “boost”.
  5. Run a comprehensive offline AV / EDR scan (Windows Defender Offline, Sophos Boot Scan, etc.).
  6. Scan Shadow Volume copies (if preserved) – Boost deletes them via vssadmin delete shadows /all.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Boost is AES-256 + RSA-2048. At the time of writing no free public decryptor exists for the new required master private key.
    Recovery without paying is possible only if:
    Offline encryption was interrupted (partial files retain un-encrypted chunks).
    Un-sync’d NAS or external drives survive.
  • Essential Tools / Patches:
    • Kaspersky’s “NoMoreRansom” list and Emsisoft’s decryptor v2023.04 – no coverage yet for .boost, so install only to monitor.
    • QuickForensic bootable ISO for volume cloning before OS re-image.
    • Patch stack: July 2021 Cumulative & Security Updates – cumulative patches for Print Spooler, SMB, and CredSSP.

4. Other Critical Information

  • Unique Characteristics:
    • Extorts stolen data before encrypting; extortion page URL is hxxp://[victimname]@boosttop[.]store.
    • Uses “BedRoom” misinformation strings to mislead behavioural heuristics.
    • Large enterprises have seen simultaneous stage-2 breach pairing PrintNightmare + Zerologon – consider them a single incident group via proxy jump-shells.
  • Broader Impact & Notable Events:
    • Boost hit Fujifilm North America. 300+ servers fully encrypted; multi-week supply chain paralysis.
    • Average demand: 80 BTC at market high (~US$2.5 M). Disc pays get timer nukes after 120 h with automatic DDoS if unpaid.
    Global law-enforcement seizure of servers (Operation Cyclamen, Feb-2023) took down C2; threat actors now rebuild infrastructure on bullet-proof hosting in Eastern Europe under “Cactus” TTPs—assume share overlaps.

Stay vigilant; treat every PNG scan or PrintSpooler error as a possible entry entry-point.