bozq - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: bozq
The ransomware appends “.bozq” as an extension—e.g.,
Document.docx → Document.docx.bozq.
Renaming Convention:
• No wildcard renaming. Each file receives the literal suffix .bozq immediately after the original extension.
• Original filename stays intact—useful for recovery because the unencrypted filename remains readable in shadow copies or backups.

First telemetry sightings: Mid-June 2023; escalating large-scale campaigns peaked in North America & Europe July-August 2023.
Updated strains circulate via Djvu/STOP “affiliate pack” (RIG/GrandSoft exploit kits) as of Q1-2024.

Malicious e-mail attachments – Lures disguised as pending-invoice PDFs or scanned fax archives dropping NSIS/Nullsoft installer “setup.exe”.
Cracked-software & game cheat downloads from ad-driven torrent indexes & Discord links.
Exploit kits (GrandSoft, Fallout) silently executing the payload when victims visit compromised legitimate sites (often hijacked WordPress).
Legacy RDP – brute-forced or purchased access, followed by PSExec lateral movement.
Ransomware-as-a-service (RaaS) – affiliates get pre-built “bozq” encryptor; optional Mimikatz & Cobalt Strike Beacon deployment after infiltration.

Disable SMBv1 (command: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol).
Patch CVE-2017-0144 (EternalBlue) & CVE-2017-0199 (Office RTF).
Enforce strong RDP policies: MFA, firewall allow-listing (TCP-3389 closed by default), automatic lockout after 5 failed logins.
Block email macro execution via GPO; whitelist macro signing certificates.
Enable Controlled Folder Access (Windows Defender ATP) or equivalent EDR “ransomware protection” module.
Mandatory 3-2-1 backup rule: 3 copies, 2 different media, 1 stored offline & disconnected.

Isolate the host—disable NICs or power off to halt encryption.
Boot from a clean USB → run full AV scan with Emsisoft Emergency Kit, Malwarebytes, or Sophos HitmanPro.
Remove residual persistence artifacts:
• Registry Run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run → syshelper, helper.exe entries.
• Scheduled tasks (schtasks /query /fo LIST) named “Time Trigger Task” or similar.
Check %APPDATA%\{RandomChars}\ and %LOCALAPPDATA%\{RandomChars}\ directories to delete the main executable (“x1.exe”, “xs1.exe”, etc.).
After scrubbing, run SFC /scannow to repair Windows binaries.

Recovery feasibility: bozq is Djvu/STOP variant using online RSA keys.
• Online key = NOT decryptable via free tool unless that exact key is seized by law-enforcement.
• Local/offline key (rare) – Emsisoft’s STOP Djvu Decryptor will brute-force if C:\SystemID\PersonalID.txt ends in “t1”.
If no offline key →
• Restore from clean offline backup.
• Leverage Windows Shadow Copies (vssadmin list shadows) or file-recovery utilities (Recuva, PhotoRec) on encrypted drives—many Djvu variants leave some original data blocks unerased.

Unique characteristics:
• Drops _readme.txt ransom note containing new email pair (e.g., [email protected], [email protected]).
• Deletes local backups via vssadmin delete shadows /all /quiet & disables Windows Recovery Environment (bcdedit /set {current} recoveryenabled no).
• Reuses older Djvu codebase but updated packers (VMProtect, Themida) evading static signatures through dynamic API hashing.
Broader impact:
• Primarily targets home users & SMBs; downtime compounds with length of time backups are offline.
• Frequently double barrels – delivers password-stealers (RedLine, Vidar) in parallel, leading to follow-on BEC & data extortion threats.
• Efficacy of file decryptor drops as newer revisions moved to fully-online-key distribution (RSA-2048), reinforcing that prevention and immutable backups remain the sole reliable defense.

Keep your backups disconnected, patch aggressively, and treat every .bozq email with deep suspicion.