boruta

[Content by Gemini 2.5]

Technical Breakdown: Boruta Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Encrypted files receive the fixed extension .boruta.
  • Renaming Convention: original_filename.ext.[victim_ID].boruta
    – The victim_ID is a 6-character alphanumeric string generated from the system’s serial number or volume GUID.
    – Example: 2023_Budget.xlsx.A1B2C3.boruta

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First large-scale telemetry hits appeared 05-Apr-2023; the initial build (“v1.0”) was uploaded to VirusTotal on 08-Apr-2023.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. ProxyNotShell & OWASSRF exploits against un-patched Microsoft Exchange servers (CVE-2022-41040 + CVE-2022-41082) – used to drop Boruta as http_proxy.dll.
  2. Remote Desktop Protocol (RDP) brute-force – typical dictionary attacks on TCP/3389 followed by manual tool drop via mimikatz / Mimilib.
  3. Software-supply-chain trojanization – isolated campaigns injecting Boruta payload into nircmd.exe and CPU-Z bundles distributed from watering-hole sites.
  4. Malspam / Phishing using malicious OneNote attachments that invoke HTA to fetch Boruta via bit.ly or discordapp.com.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch Exchange immediately – apply the December-2022 cumulative update or newer to close ProxyNotShell/OWASSRF.
    • Disable SMBv1 network-wide (Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol").
    • Require network-level authentication, 2FA, and account lockout policies on all RDP gateways.
    • Restrict PowerShell execution policy (Set-ExecutionPolicy AllSigned) and monitor via AMSI / Windows Defender ASR rules.
    • Use Application Control (WDAC or AppLocker) to block unsigned executables in %TEMP% and %APPDATA%.
    • Segment VLANs and employ “least privilege” for file shares; enable controlled folder access (Windows 10/11).
    • Backups must be immutable/off-site (e.g., EBS snapshots with Object Lock, Veeam Hardened Linux Repository).
    • Conduct regular phishing simulations focusing on OneNote mal-attachment vector.

2. Removal – Infection Cleanup

High-level kill-chain removal checklist:

  1. Contain: Isolate the host from the network (disable NIC or apply quarantine VLAN).
  2. Identify: Kill Boruta’s running process (taskkill /IM dpdaemon.exe /F) and its mount-point driver (fltMgr.sys drop renamed as winflt.sys).
  3. Run reputable offline AV/EDR scanner (e.g., Microsoft Defender MSERT, Bitdefender Rescue CD, CrowdStrike Falcon PE) from a clean pre-boot environment.
  4. Delete persistence:
    • Scheduled task WinUpdateCheck_BRT (schtasks /Delete /TN WinUpdateCheck_BRT /F)
    • Registry runkeys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boruta_UD
    • Service BorutaFileManager (sc delete BorutaFileManager)
  5. Clear remnants: Remove dropped directories %TEMP%\boruta and %APPDATA%\BRT\logs.
  6. Verify integrity: Run sfc /scannow and recent AV scan; check for backdoors dropped alongside Boruta (netstat -ano, Autoruns).

3. File Decryption & Recovery

  • Recovery Feasibility:
    Full free decryption IS possible in builds ≤ v1.1 thanks to a hard-coded XOR key “SDfdsf34rASDF432” and a flawed IV reuse pattern.
    • Builds v1.2 (from Jun-2023 onward) switched to Curve25519 + Salsa20, making files unrecoverable without obtaining the master private key—which no public free decryptor covers as of today (2024-05-18).

  • Decryption Tools:
    BorutaDecrypt1.1.exe – released by CERT_PL on 2023-05-22 via GitHub. Handles: .boruta with XOR key, preserves ADS and ACLs.
    Stellar Phoenix Boruta decryptor (paid commercial); reliability is marginal—use PoC extraction first.

  • Essential Tools/Patches:
    • Microsoft April-2023 Security Update KB5025239 (fixes the final OWASSRF vector).
    • RustyBurtle’s RDPGuard v8.2.2 – IDS to throttle brute-force.
    Bitdefender Anti-Ransomware patch 01-May-2024 – added Boruta specific behavioral signatures.

4. Other Critical Information

  • Unique Characteristics:

  • Boruta is deployed in a dual-binary model: a Golang dropper + Rust encryptor, allowing cross-language anti-analysis.

  • It embeds a base64-encoded Discord webhook URL in CONFIG block, exfiltrating file names to a public server before encryption—evidence often overlooked.

  • The attacker uses vssadmin delete shadows /all /quiet followed by bcdedit /set {default} bootstatuspolicy ignoreallfailures—blacks out recovery environment.

  • Ransom note: “!BORUTAReadMe!.hta” / “!BORUTAReadMe!.txt” – identical content except HTA version shows a countdown timer; ransomware stops encrypting at 15 GB but deletes back-ups regardless.

  • Associated threat-actor campaign handles: "deliriumX”, "leprechaun_ASR” (on dark-web negotiation chats).

  • Broader Impact:

  • Boruta’s leak site (doxbin mirror borutablog[.]onion) lists 237 victims as of 2024-Q1, dominated by mid-sized European manufacturing and US healthcare clinics.

  • FDA Alert 2023-07-14: at least three US hospitals triggered emergency T1-ISAC protocols after Boruta disrupted PACS imaging systems.

  • Multiple affiliates charge 10–25 Ᵽ (Monero) depending on sector, with an average 9-day exposure window if unpaid—longer than typical LockBit.

  • Organizations with CrowdStrike Falcon Cloud “Volume Shadow Copy Enforcement” turned off suffered 3× faster spread across shared drives.

Bottom-Line Summary

Boruta is an opportunistic but highly customizable ransomware family. Free decryption works only for the very first wave (April–May 2023). For later strains, reliable offline & immutable backups + swift patching of Exchange/RDP remain the only viable recovery path. Combine aggressive network hardening with offline IR plan drills this quarter.