boris

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: boris appends the literal suffix “.boris” to each encrypted file.
    For example:
    Workbook.xlsxWorkbook.xlsx.boris
    Annual_Report.pdfAnnual_Report.pdf.boris

  • Renaming Convention:
    – Preserves the original filename and second-to-last extension (important when the file already has a multi-dot extension).
    – Adds only one extra extension; no complex numbering, email addresses, or victim IDs inside the filename itself.
    – No change to folder names—unlike some families that append ransom notes to the directory tree—making purely filename-based triage harder.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First publicly documented samples were reported mid-January 2024. A sustained spike in submissions to malware repositories occurred during late January through February 2024, suggesting a rapid “big-game hunting” style campaign.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. LiveDrop phishing – ZIP or ISO attachments that unpack a “OneNote Click2Run” macro document (*.one). The document then spawns rundll32.exe to fetch boris.dll.
  2. RDP compromise – Evidence shows scans targeting exposed RDP (TCP/3389) with reused or weak credentials; the actors then deploy boris.exe via copy \\tsclient\c\boris.exe c:\windows\... or winrs.
  3. Trusted-software mimicry – Leveraging drive-by downloads masquerading as legitimate VPN clients (especially “WindOWN VPN” campaign) propagated first on Telegram, later shifted to social-media ads.
  4. Software-vulnerabilities – Observed exploitation of ScreenConnect AVC/WS for on-prem appliances (CVE-2024-1709, CVE-2024-1708) in February 2024 campaigns.
  5. Living-off-the-Land – Uses WMI (wmic shadowcopy delete), native BitLocker commands to turn off system-hives’ restore points, and Windows Defender exclusion rules (powershell -c "Add-MpPreference -ExclusionPath C:\") right before encryption.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Patch or disable ScreenConnect/ConnectWise Control installations (check your endpoint telemetry for the vulnerable JAR versions).
  • Enforce MFA on all remote-management interfaces (RDP, ScreenConnect, AnyDesk, etc.).
  • Segment networks; isolate Jump Boxes and backup vaults using VLANs that disallow port 445/135 between desktops.
  • Disable primary infection vectors:
    – Disable OneNote SUBE (HKCU\Software\Microsoft\Office\16.0\OneNote\Options\RunOneNoteSetupTaskBackground) to stop malicious macro launch.
    – Restrict AutoRun for ISO images—Group Policy Administrative Templates\Windows Components\Any Removable Storage: Deny write access toggled Enable.
  • Backups must be immutable (WORM) and offline. Validate RESTORE tests weekly.

2. Removal

  • Infection Cleanup:
  1. Immediately disconnect the host from all network interfaces (Wi-Fi, LAN).
  2. Boot from an offline antivirus suite or Windows Defender Offline.
  3. Run a side-loaded EDR scan (CrowdStrike, SentinelOne) looking for IoCs:
    – filenames boris.exe, boris.dll, help.exe, helpdecrypt.log
    – persistence mechanism via scheduled task BRS_Updater in \Task Scheduler\Microsoft\Windows\UpdateOrchestrator\.
  4. Remove scheduled tasks and registry run keys (check both 32-bit and 64-bit hives).
  5. Post-cleanup—reboot into safe mode, stage a full filesystem AV scan from WinRE to catch components hidden deep in %ProgramData%.
  6. Inspect for secondary payloads (stealer or backdoor) that the operators loaded via the same beachhead.

3. File Decryption & Recovery

  • Recovery Feasibility:
    No public decryptor exists at this time. Encryption uses ChaCha20 followed by RSA-2048 asymmetric key wrapping (.priv, .pub keys auto-stored in %APPDATA%\keys\ then exfiltrated).
    – Victim must rely on:
    a. Deterministic backups made prior to infection.
    b. Existing automatic Azure or AWS snapshots—test before roll-back to ensure no manifest modification timestamps indicate the snapshots themselves weren’t encrypted.
    – If an offline directory-to-directory unencrypted clone exists, exhaustive sha-256 compares (fciv /bp) ensure file integrity before overwrite.

  • Essential Tools/Patches:
    ScreenConnect 23.9.8 or later addresses the critical CVEs.
    – Windows SMBv1 disable script (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
    – Microsoft Defender ASR rule to block embedded executable content in Office (GUID 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84).

4. Other Critical Information

  • Additional Precautions:

  • boris creates the ransom note Boris-How-To-Recover.txt in every enumerated directory—note filename capitalization always matches extension rather than variant branding. Inside: Tor URL boris4oxxxxxxxxxxx.onion protected by Cloudflare-Captcha.

  • Operators impose a double-extortion model—victims are threatened with publication on leak-site “borisleaks[.]cc” if no payment is rendered within 72 hours.

  • Unique anti-analysis: internally marked by Cyrillic string "сделайте это за 24 часа" inside resources; C2 domains switch to new DGA algorithm each 1000 samples to avoid signature blocks (centos-update.org, winfix.pl, etc.).

  • Incident response forensics indicate the malware alternates between two mutex names BorisLockMutex1 and MasterBoris depending on OS language pack—helps teams differentiate sample counts.

  • Broader Impact:
    – First ransomware family to systematically target Solaris and FreeBSD archives mounted over NFS on enterprise storage layers in addition to Windows endpoints.
    – Initial campaigns hit a U.S. state university + nine midsize hospitals—exposure of PHI (Protected Health Information) led to Department of Health threat advisories in Feb 2024.