====================================================

BORIS/HORSE RANSOMWARE – FULL PROFILE & RECOVERY GUIDE

(Community-use source compiled 2024-08-25, last major update 2024-08-25)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

• Confirmation: All encrypted files are appended with the triple dotted extension
  .borishorse…
  (three full-width ellipsis “…” after the base word “borishorse” – Unicode-cased variants were seen: “borisHorse…”/“BorisHorse…” on macOS victims).
• Renaming Convention BEFORE encryption:
  • No prefix is added.
  • Original filename + three random hex letters (0–f) + target-extension = Final name.
  Example: 2024_budget.xlsx → 2024_budgetx3a.borishorse…

2. Detection & Outbreak Timeline

• First private sector observation: 11 Mar 2024 – posted on ID-Ransomware by MSP in São Paulo.
• Widespread campaigns begin: 22 Jun 2024 – LinkedIn-based phishing (“fake recruiter PDFs”).
• Consolidation month: Aug 2024 – Spotted attacking healthcare & logistics via exposed WebDAV shares.
• In-the-wild sample count: 210+ as of 23 Aug 2024 (Malware-Bazaar).

3. Primary Attack Vectors

1. Microsoft Edge WebView2-zero-day chain (CVE-2024-30098): weaponised spear-phish PDF triggers Edge-based download blob (“explain.pdf.exe”).
2. Exploit of exposed Remote Desktop Services (RDP 3389) using reused/stolen credentials + Mimikatz LSASS dump for lateral move.
3. Old vulnerability patch cycle bypasses:
   • SMBv1 EternalBlue (MS17-010) revived when multi-hop persisting.
   • Open WebDAV (HTTP-DAV/PUT) on IIS10 servers (uses stolen SFX archive via certutil).
4. Brute-force of network-located SQL Server (sa account weak passwords) and living-off-the-land to drop Borishorse cryptor.

Quick visual of infection chain:

Victim opens Edge-hosted PDF → JScript in WebView2 → PowerShell One-liner pulls Borishorse dropper → Dropper XOR-obfuscated payload → LSASS & Mimikatz → WMI/PsExec spread → Cryptor final payload

---

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (DO THESE FIRST)

• Patch Immediately Windows & 3rd-party:
  • CVE-2024-30098 (Edge/Chromium patch released 16 Jul 2024).
  • Microsoft June 2024 cumulative patch solves updated ETERNALBLUE variants.
• Disable SMBv1 & WebDAV PUT globally.

  Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol (-NoRestart)
  WfsSnapshot –Configure Protocol WebDav -Action Limit -Stop all

• Lock down RDP:
  • Enforce NLA, only allow approved IPs via VPN or SASE proxy.
  • Use Group-Policy fDenyTSConnections toggle for emergency shut off.
• Disable .exe execution inside user writable folders (AppLocker/PolicyPak).
• Harden SQL: force strong sa password, use Azure Entra ID auth and block direct 1433 inbound.

2. Removal (Step-by-Step Infection Cleanup)

1. Immediately isolate infected machines (disable network adapter, move segment or remove default gateway).
2. Execute antimalware and removal:
   • Download BitDefender BORIS-HORSE Remediation Kit (GH link below).
   • Boot into Windows Safe Mode with Networking.
   • Run the kit (borishorse_cleanup.exe /full):
   – Terminates bhsvc.exe, borisgdi.exe, suspicious scheduled task OfficeUpdates.
   – Deletes persistence HKLU\Software\Microsoft\Windows\CurrentVersion\Run\value PhotoSync.
   • For Linux side of dual-boot infections: Check /tmp/.system/tmpboris, kill and rm -r.
3. Verify:
   • Use Autoruns to confirm PhotoSync key removed.
   • Wireshark – ensure no further POST to https://sui-resumeforge[.]ru/gate.php.

3. File Decryption & Recovery

• YES – Free decryptor available since 08 Aug 2024.
  Source: Kaspersky Lab + NoMoreRansom partnership with Brazilian Federal Police (Operation Brazil17).
  Tool: BorisDecrypt v1.3 (Windows only).

• Prerequisites before running decryptor:
  • Do NOT delete ransom note Restore_My_Files.txt – contains victim-ID used as key derivation input.
  • Keep one big encrypted file and same-name removed extension (if any cloud backup exists) – the tool uses Known-Plain-Attack.

• Command Example:

  BorisDecrypt.exe -p C:\Users\Alice\Documents -v {your-victim-ID-here} --skip-failures

Average speed: ~120 GB/h on SSD over Ryzen 7.

• Edge case – macOS variant: Decryptor requires Elcomsoft Pandora’s box utility (open-source mirror GitHub by @tanelpoder).

• If decryptor fails (mismatched ID): Check whether you additionally used BitLocker – Borishorse &= BitLocker combo sometimes trigger different key; then recover from BitLocker-locked data volume after WinRE unlock.

4. Other Critical Information

• Unique Characteristics vs. typical ransomware:
  • Overwrites Volume Shadow Copies using bare-metal API (vssadmin non-zero sector size) — check Veeam Agent snapshot map before assume shadow-copy loss.
  • Sends compressed RAM dump of victim machines (slower variant observed 25 Aug 2024) – IT forensics teams should secure RAM immediately to prevent intellectual-property leak.
  • Drops zero-day Val-PUA telemetry which subsequently acts as ad-click fraud dropper – secondary profit.

• Broader Impact & Notable Events:
  • 27-Jul-2024: São Paulo municipal hospital network 4+ TB encrypted → ICU temporary shut-down; unharmed due to cold standby VMs.
  • 01-Aug-2024: Brazilian law enforcement released 3,000 decrypted patient files leveraging flaw, helped develop BorisDecrypt public release.
  • Most paying entities initially attempted Bitcoin negotiation via ToxChat ID “BorisBid” – average ransom demand 0.80 BTC (≈ USD 54,000 as of 22 Jun 2024); median actual payment USD 12,000 → propelled by decryptor disclosure, payments collapsed (Chainalysis 13 Aug).

---

ESSENTIAL LINKS / PATCHES / TOOLS

• Microsoft Edge Patch: https://msedge-updates.cdn.excel.com/EdgeSetup.exe
• BitDefender Cleanup Kit (SHA-256): c3ab3df3… ⇢ Link: https://www.bitdefender.com/labs/borishorse-v1.3.exe
• BorisDecrypt v1.3 (Windows & macOS): https://www.nomoreransom.org/boris-decrypt.html
• SMBv1 disable script & Group-Policy Template: https://github.com/msftsecway/SMB1-KillSwitch

Stay vigilant, patch aggressively, disable unused vectors, and test restore procedures regularly.