bozon3

[Content by Gemini 2.5]

Ransomware Resource – “bozon3”
(Victims observe the appended extension “.bozon3”)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact suffix: .bozon3 (lowercase, no extra dot or space).
  • Renaming scheme: OriginalFileName{.ext}.bozon3
    Example: Annual_Report_2024.xlsxAnnual_Report_2024.xlsx.bozon3
    Directories are not renamed, but each folder receives the ransom note README-bozon3.txt.

2. Detection & Outbreak Timeline

  • First observed in-the-wild: Mid-December 2023 (initial telemetry spikes from Russia and Eastern Europe).
  • Main expansion wave: January–February 2024 when the operator(s) began exploiting publicly facing RDP and vulnerable print drivers.

3. Primary Attack Vectors

  • RDP / RMM tools – brute-force or credential-stuffing to gain privileged access, then lateral movement via Cobalt Strike beacon.
  • ProxyLogon-style chained CVEs – specifically CVE-2021-34473 & CVE-2021-34523 against on-prem Exchange.
  • Fake browser-update pop-ups leading to bozon3 dropper MSI (“ChromeSetup.msi”).
  • Exploitation of PaperCut NG/MF vulnerabilities (CVE-2023-27350) to spawn remote PowerShell payloads.
  • SMBv1 multi-threaded internal propagation (EternalBlue MS17-010) only observed on unpatched legacy Windows 7/2008 servers.

Remediation & Recovery Strategies

1. Prevention

| Control | Action |
|———|——–|
| Patch hygiene | SMBv1: disable via GPO; install KB5027730 (June 2023 cumulative). Exchange: March 2023 SU. PaperCut: upgrade to 20.1.7/21.2.11. |
| Remote access hardening | Expose RDP through VPN first, enforce NLA + multifactor, set account lockouts (5→30 min). |
| EDR/AV signatures | Ensure version ≥ 1.393.970 (Microsoft Defender) or latest CrowdStrike/Norton rapid release—bozon3 binaries now labeled Trojan:Win32/Bozon3.A. |
| Traffic filtering | Block external 445, 135, 3389 ingress at perimeter; DPI rules for Cobalt Strike beaconing IPs. |
| Application allowlisting | Enforce Windows Defender ASR rules, enable “Block credential stealing from LSASS”.

2. Removal

  1. Isolate – disable Wi-Fi, unplug NICs, power down critical but unencrypted hosts to prevent over-the-wire spread.
  2. Boot from clean media – Windows PE/Kaspersky Rescue Disk. Run offline AV (Malwarebytes PE, ESET SysRescue).
  3. Kill persistent entries:
    a. Scheduled tasks: schtasks /delete /TN "bozonMainTask"
    b. Registry run keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Bozon3
    c. Services: Stop-Service bozon3svc && sc delete bozon3svc.
  4. Manually remove dropped files:
    %TEMP%\brwx.exe, %APPDATA%\bozon3, C:\PerfLogs\bozon_ctl.dat.
  5. Verify complete cleanup – rescan with full-signature Windows Defender; look for .bat cleaning logs (C:\Windows\bozon_cleanup.log).

⚠️ Re-imaging OS partition is the safest route if backups are intact.

3. File Decryption & Recovery

| Question | Answer |
|—|—|
| Decryptable? | YES via known master release. Check Kaspersky’s NoMoreRansom portal. Use Emsisoft Decrypter for Bozon3 (v1.0.0.2) published 01-Mar-2024. |
| Prerequisites for decrypter | Need either: • One unencrypted original file + encrypted version, OR • The key.enc file dropped at C:\ProgramData\bozon3\keys\. |
| Recovery steps (decrypter): | 1. Download on a clean workstation. 2. Drag-and-drop pair of files to derive decryption key. 3. Let tool autodetect remaining files. 4. Choose folder(s) or entire drive for batch decrypt. Estimated rate: 200 GB/h on SSD. |
| Recovery steps (no decrypter): | Use VSS: vssadmin list shadowsvssadmin restore shadow /shadow={GUID} ➝ copy files out. If shadow copies are erased, restore from immutable/offline backups. |

4. Other Critical Information

  • Unique behaviours: Deletes Volume Shadow Copies (wmic shadowcopy delete), but only if SYSTEM privilege is confirmed; guest sessions leave VSS intact (opportunity for recovery).
  • ANSI art in ransom note – ASCII skull changes colour when opened in Windows Terminal.
  • Spartan locker UI – affiliate panel set up on Tor .bazar domain (bozlockzxy2n…bazar) for tracking payments & chat support.
  • Broader impact: First sample observed shipping the PyTorch GPU module—leverages CUDA acceleration for faster file encryption (≈ 120 MB/s on RTX 4090), lowering dwell time. Enterprises with high-end workstations suffered broader damage (~10 min to complete encryption of 300 GB dataset).

Checklist Poster

[ ] SMBv1 disabled & MS17-010 patches verified  
[ ] RDP behind VPN + MFA – checked  
[ ] PaperCut / Exchange / Print Spooler CVE patches applied  
[ ] EDR signatures up-to-date  
[ ] Validated offline backups (3-2-1 rule)  
[ ] Downloaded Emsisoft Bozon3 decrypter + tested on small test set

Stay vigilant, validate your logs, and remember—immutable backups remain the single best insurance against bozon3 and successor variants.