boza - NTAPINSIGHT

Technical Break-down: Boza Ransomware

Confirmation of File Extension: The malware appends the “.boza” extension to every encrypted file.
Renaming Convention:
<original_name>.<original_extension>.id-<8-to-10-digit-VICTIM-ID>.[<attacker_email>].boza
Example:
Annual_Budget.xlsx.id-92417835.[[email protected]].boza

Approximate Start Date/Period:
Public campaigns observed from July 2021 onward, with peak activity in August – September 2021. Older samples trace back to compilation timestamps in June 2021 (UTC).

Propagation Mechanisms:
RDP brute-force attacks – the most prevalent initial foothold.
Phishing emails containing password-protected ZIP, ISO, or IMG attachments (“invoice.iso”).
Exploitation of unpatched ProxyShell (CVE-2021-34473/34523/31207) against exposed Microsoft Exchange servers.
Credential-stuffing and mimikatz once inside to move laterally via SMB/PSExec & WMI.
Post-infection disables Volume Shadow-copy Service (VSS) and deletes the Windows backup catalog (vssadmin delete shadows /all /quiet).

Proactive Measures:
Segment networks and close TCP/3389 (RDP) to the internet or restrict via VPN + MFA.
Disable SMBv1 and patch against ProxyShell/EternalBlue.
Maintain offline, versioned backups (3-2-1 rule).
Deploy EDR with strict PowerShell & WMI command-line monitoring, and Application-Whitelisting (e.g., Microsoft Defender ASR rule “Block credential stealing from LSASS”).
Harden email gateways to drop ISO/IMG/CAB file-types and sandbox macros.

Isolate: Disconnect the host from the LAN/Wi-Fi before touching files.
Collect Evidence: If legal/forensic action is likely, take a full-disk forensic image with tools like FTK Imager before cleaning.
Power-off or Reboot to Safe Mode with Networking (SMB disabled).
Scan & Remove:
- Bootable AV: Kaspersky Rescue Disk, Bitdefender BDCD or Emsisoft Emergency Kit.
- Delete persistence artifacts:
- Registry Run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random].exe or %AppData%\syshelper.exe.
- Scheduled Tasks update_ctl or WorkstationHelper.
Check for Lateral Movement: Use BloodHound/PingCastle to enumerate compromised service accounts & second-stage tools.
Patch & Rebuild: Apply Windows cumulative update ≥ July 2021 and rotate ALL domain passwords.

Recovery Feasibility:
Boza is a strain of STOP / Djvu (version 263). Transparent decryption is only possible when WHOLE offline key has leaked ( ~15 % worldwide samples share the same offline key 6se9RaIxXS92bZQ_OCL-XXXXXXXXXC).
Tools:
- Emsisoft STOP-Djvu Decrypter (https://emsisoft.com/decrypt) – requires the same exfiltrated offline key; run with -a to list usable keys.
- If the decrypter cannot read key info (unable to get master key) ⇒ files encrypted with the online (unique per victim) key, which has not been leaked; no public decryption currently available.
Fallback options:
- Restore from offline backups or Windows VSS snapshots that survived the VSS purge (check vshadowadmin list).
- Use Volume Shadow-copy-based file-carving tools (ShadowExplorer, PhotoRec) to recover partial copies.

Additional Precautions:
Boza drops readme.txt ransom notes in every affected folder; emails listed ([email protected], [email protected]) are black-listed – do not pay as decryption is not guaranteed.
The ransomware carries a low-level wiping routine: deletes shadow-copies via WMI “Win32_ShadowCopy ID=*” as well as clearing System Restore points.
Unique SHA-256 IOC (x32 sample): 22ad2a9dbe306c52e3b5d9a56bec8f06833cc78e0a4e0e1dfc6f1bfbdc403e51.
Broader Impact:
Indo-Asian MSP sector bore brunt of July–Aug campaigns: ~225 disclosed cases.
Since Jan-2022, malware morphs into STOP-Djvu v262, v263-decryptable, shifting to supply-chain seeding via pirated software cracks – a clear consumer and SMB threat spreading outside traditional enterprise perimeters.