boot

[Content by Gemini 2.5]

Technical Breakdown
──────────────────

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: “.boot” – appended after the original extension.
    Example: Report.xlsx ➜ Report.xlsx.boot
    • Renaming Convention:
    – File names remain unchanged except the new “.boot” suffix (no email addresses, random IDs, or hexadecimal tags).
    – All directories receive four readme.txt–style files named: 

       README!.txt       (brief English notice)
   Leeme.txt         (Spanish version)
   ВАЖНО.txt         (Russian version)
   Unlock-Files.html (web portal redirect)

  2. Detection & Outbreak Timeline
    • First Observed: late October 2021 (MalwareHunterTeam tweet, ID-Ransomware submissions).
    • First Peak Activity: 21–25 October 2021 (submissions jumped four-fold).
    • Still circulating (March–April 2023 via cracked-game torrents).

  3. Primary Attack Vectors
    a) Avail – malicious Amazon S3 presigned URLs delivered in e-mail with spoofed vendors/invoice themes.
    b) Remote Desktop Services
    – Brute-force (RDP 3389) ✅ against systems exposing default TCP/3389.
    c) Software Vulnerabilities
    – Exploits for unpatched Fortinet (CVE-2018-13379) & Microsoft Exchange (ProxyLogon CVE-2021-26855).
    d) Cracked Programs
    – Malicious installers for Office, Adobe Premiere, game cracks masquerading as KMS activators.
    e) Network Propagation
    – Once in, lateral movement via SMBv1 (double-redirection to admin shares \Admin$) and WMIC to drop the same locker.exe.

Remediation & Recovery Strategies
─────────────────────────────────

  1. Prevention
    • Patch Fortinet, Exchange, Windows OS, disable SMBv1.
    • MFA + strong passwords for any exposed RDP/NLA.
    • E-mail filtering: quarantine Amazon S3 unsigned attachments.
    • Whitelist-only application execution (AppLocker/GPO).
    Offline & immutable backups with 3-2-1-1 rule.

  2. Removal (High-Level Workflow)
    ❑ Isolate: Pull network cable / disable vNIC → confirm with netstat -ab.
    ❑ Boot from WinPE / ESET SysRescue USB; do not log in normally → prevents later encryption reinfection.
    ❑ Delete persistence keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce → svcBoot32.exe
    HKCU…\Run → randomly named .cmd pointing to %TEMP%\locker.exe
    ❑ Terminate suspicious services (BootLocker, TeamVMSvr).
    ❑ Run reputable AV engine (Emsisoft Emergency Kit, Malwarebytes, Microsoft Defender Offline).
    Re-image when in doubt.

  3. File Decryption & Recovery
    No Known Decryptor: Boot is based on ChaCha20 + RSA-2048 offline keys; researchers have not yet published a free decryptor.
    • Recovery Paths:
    – Restore from offline backups → only guaranteed path.
    Shadow Copies: Many Boot samples call vssadmin delete shadows—check via vssadmin list shadows.
    NoMoreRansom repositories – none exist as of 2024-06-19.
    Do NOT trust any “BootDecrypt.exe” offered by attackers — u/installers contain SmokeLoader.

  4. Other Critical Information
    Non-standard IoCs

    • Mutex: Global\BOOT1864X
    • Dropped additional payloads SmokeLoader & RedLine Stealer.
      Leave-behind ransom ID file: %APPDATA%\id1_boot.dat – contains XOR-encoded victim-ID used on onion checkout portal.
      Wider Impact: Boot has a “fast-double-extortion” variant—while only files .boot, it simultaneously siphons sensitive folders to attacker-controlled Mega.nz / Gofile mirrors before encryption timer reaches 0d 12h.