bozon

[Content by Gemini 2.5]

Ransomware Resource: BOZON
File-extension observed: .bozon

Section 1 – Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of Extension: After encryption, files are appended with the static suffix .bozon.
• Renaming Convention: original_name.ext → original_name.ext.bozon
– Directory traversing is breadth-first; hidden and system files are skipped.
– Sample encrypted file: Annual_Report.xlsx.bozon

2. Detection & Outbreak Timeline

• First documented sample: uploaded to VirusTotal 2023-05-08 (SHA-256 5e55…ceef).
• Rapid propagation noticed mid-May 2023 via unpatched Windows Servers (MS17-010).
• Sporadic campaigns lasting through Q2 2024; latest notable wave Q1-2024 targeting MSPs via RDP.

3. Primary Attack Vectors

• Exploitation of EternalBlue (MS17-010) – unpatched SMBv1 servers remain the most common entry point.
• Compromised RDP sessions (brute-force or previously dumped credentials) → lateral movement with PsExec.exe or WMI.
• Phishing attachments (Product-Invoice-2024.xlsm) that drop the BOZON loader via malicious VBA macros or Excel 4.0 macros.
• Adversary-in-the-Middle (Rogue Wi-Fi hotspots) delivering Metasploit “web-delivery” stagers leading to BOZON payload.
• In-cloud variants: attackers pivot from compromised Azure AD join tokens, push BOZON via Just Enough Administration (JEA) sessions.

Section 2 – Remediation & Recovery Strategies

1. Prevention (Proactive Measures)

  1. Applying MS17-010 (KB4013389 + March 2017 cumulative) is non-negotiable—confirmed 100 % blocking of EternalBlue variant still exploited by BOZON.
  2. Disable SMBv1 via GPO: Computer Config → Admin Templates → MS Network → Server → Disable SMB1.
  3. Patch OS, browsers, MS Office, and appliances; enable Microsoft 365 “Protected View” + macro blocking.
  4. Enforce network segmentation: prevent direct RDP exposure, require VPN + MFA.
  5. Backup 3-2-1 strategy: immutability or off-site / air-gap (Veeam hardened repository, AWS S3 Object Lock).
  6. EDR baseline: CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne with “script-based execution” heuristics enabled.
  7. Email gateway filters for Excel 4.0 macro content and unsigned VBA macros.

2. Removal checklist

  1. Immediate isolation: disconnect NIC/power off suspicious hosts.
  2. Identify running BOZON PID → wmic process where name='bozon.exe' get processid → kill.
  3. Delete persistence:
    • Registry Run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BOZON
    • Scheduled task \Microsoft\Windows\Maintenance\BozMaintenance (MITRE T1053.005).
  4. Network indicators: drop or quarantine traffic to C2 45.142.28[.]27:443, IOC URLs bozon1769.onion.reserve, cdn-bnc-04[.]top.
  5. Full AV scan with updated signatures (definitions ≥ 2024-03-30) to remove residual dropper.
  6. Reset local + domain passwords suspected of brute-force; re-image if any residual evidence.

3. File Decryption & Recovery

Availability of free decryptor: No. BOZON uses a well-implemented hybrid encryption model (RSA-2048 + ChaCha20-Poly1305). Private keys are stored on attacker infrastructure; offline decryption is not practical.
Recovery pathways:
– Restore from immutable/off-site backups (rclone copies to Wasabi with bucket versioning, Veeam Hardened Repo, ZFS snapshots).
– Check Volume Shadow Copies (vssadmin list shadows) – later BOZON samples delete them, but early ones may miss.
– Forensic carve: if attack was interrupted, raw disk imaging + photorec or R-Studio may recover partial files that were not overwritten.
– Negotiate & pay NOT recommended—no guarantee delivered key works; illustrates coin mixing to avoid tracing, increasing risk.

4. Other Critical Information

• Unique characteristics:
– BOZON incorporates living-off-the-land techniques: legitimate tools like wevtutil cl system and bcdedit /set recoveryenabled no to hinder recovery.
– After encryption, drops ransom note Readme-Bozon.txt in every affected folder and sets Desktop wallpaper to a low-resolution skull; note mentions “no cloud push”—explicit warning against SaaS sync.
– Includes Windows version check; if host < Win7 (XP etc.), entirely skips payment portal—behavior suggests secondary payload sale.

• Broader impact / notability:
– BOZON has been used to extort record-keeping health clinics in Central Europe and small-scale Latin American municipalities, typically asking 2–6 BTC (≈ $100 k–250 k) per incident.
– Campaign overlaps with the “Snatch-Meow” intrusion set (TTP code reuse in PowerShell stager), hinting at a ransomware-as-a-service (RaaS) affiliate model.
– Post-incident telemetry shows attackers attempt to sell sensitive exfiltrated POS data on darknet, increasing reputational damage beyond ransom request.

Tool & Patch Quick-Reference
• Microsoft KB4013389 (patch CVE-2017-0144)
• Microsoft “Disable SMB1 PowerShell script” (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol)
• EDR rules: SIGMA #bozon_encrypt.yml and YARA ransomware_bozon.yar (update 2024-05-22)
• Recovery utilities: Veeam Agent for Windows, ShadowExplorer, TestDisk/PhotoRec.