brt92

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: All encrypted files receive the appended extension .brt92 – e.g., Report.xlsx.brt92, Invoice.pdf.brt92.
  • Renaming Convention:
    Original filename + “.brt92” is NOT moved to a sub-folder; the file remains in its original location.
    Ransom note is written simultaneously as Readme_BRT92.txt (in each directory).
    – NTFS streams and ADS are left intact; no additional suffix or UUID is prepended.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry hits tracked to early-April 2023 (clusters registered 03 – 07 Apr). A surge in submissions appeared the second week of April, coinciding with mass exploitation of the Fortinet FG-IR-22-398 advisory.

3. Primary Attack Vectors

  • Primary Entry Point:
    – Mass-exploitation of CVE-2022-42475 (Fortinet SSL-VPN unauthenticated RCE), patched January 2023 but still prevalent in appliances behind on firmware.
  • Secondary Spread Mechanisms:
  1. Lateral Movement via WMI + PSExec after initial breach.
  2. SMBv1 broadcasting using a tweaked Samba crypter to enumerate shares.
  3. Dropper e-mails targeting Office 365 tenants: ZIP → malicious MSI packaged with device-code phishing.
  4. Terminal-services abuse (RDP brute-forcing over 3389/rdp wrapper) particularly focusing on default admin users.

Remediation & Recovery Strategies

1. Prevention

  • VPN & Gateway Hygiene
    – Immediately patch FortiOS 6.x ≥ 6.0.16 / 7.x ≥ 7.0.10 or later (FG-IR-22-398, FG-IR-23-097).
    – Disable external SSL-VPN access if not essential; enforce MFA on all remote-access gateways.
  • Internal Hardening
    – Block SMBv1 via GPO (Disable-WindowsOptionalFeature –online -FeatureName SMB1Protocol).
    – Disable or restrict WMI lateral movement (Deny _clients setting in DCOMCNFG).
    – Enforce most-restrictive Office macro policy; disable MSI autoplay for non-enterprise-managed users.
  • Endpoint Controls
    – Deploy EDR/ NGAV capable of file-creation .brt92 pattern detection and Ransomware Volume Shadow-Protection (ESENT / VSS kill syntax).
    – Ensure offline, cloud-backed, or immutable backups (Veeam SOBR with capacity-tier + S3 Object-Lock, Azure Blob Retention-Policy).
    – Weekly restore-test drills to verify unmountability is < 12 hours.

2. Removal (Step-by-Step)

  1. Physically isolate affected machines from the network – unplug cables / disable Wi-Fi via hardware switch; stop VPN paths.
  2. Check for persistence:
    – Scheduled Tasks: schtasks /query /fo list /v | findstr /i brt92
    – Registry Run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\…\Run for values like brtp.exe, SVHOSTUPDBRT.exe.
    – WMI Event Consumers named UpdateCheck created under root\subscription.
  3. Kill malicious processes:
    taskkill /f /im brt92.exe, brtupdater.exe, .brtinfo.exe (service metastage).
    – Remove malicious services: sc stop BrtUpdService & sc delete BrtUpdService.
  4. Delete dropper artifacts: %Temp%\brt92\xx93.exe, %APPDATA%\LocalLow\brtconfig.json, %ProgramData%\bassist.dll.
  5. Run full AV scan with signatures ≥ April-2023 indicator set (BRT92.A, BRT92.E).
  6. Patch CVE and reboot into updated OS layer to avoid re-infection through the same vector.

3. File Decryption & Recovery

  • Decryption Status: At the time of writing, NO publicly working decryptor exists for.brt92. Encryption uses ChaCha20 with an RSA-4096 offline public key; private keys remain locked.
  • Work-arounds:
    Restore from backups is the only dependable method.
    – Check for Volume Shadow Copies (vssadmin list shadows) – attacker script misses disks not mounted at time of attack.
    File-recovery utilities (PhotoRec, R-Studio) may retrieve deleted originals if lockers used in-place overwrite.
  • Essential Tools/Patches:
    – FortiOS Security Bulletin FG-IR-22-398 patch files and signature pkg v7.0.12.
    – Kaspersky Bootable Rescue Disc (latest definitions) or Bitdefender Rescue CD for offline scan.
    – Microsoft Hotfix KB5004442 – removes Print Spooler MS-RPRN vector leveraged by internal droppers.

4. Other Critical Information

  • Unique Observations:
    – .brt92 destroys Event Logs IDs 7034/7035 to remove service-stop/start evidence before encryption phase starts.
    – Searches for QNAP, Synology NAS shares; deliberately skips .db files under MSSQL/PostgreSQL possibly to remain covert in DB-heavy environments.
    – C2 communications via Telegram bot API (https://api.telegram.org/bot<*-token*>) making traditional DNS monitoring less effective.
  • Broader Impact / Notable Cases:
    – Healthcare provider in Western Europe lost ~650 virtual machines, estimated 18 TB, after initial breach through an unpatched FortiGate (running v6.4.9).
    – Community utilities authority in South-America taken offline for four days due to SCADA nodes staged as RaaS affiliate collateral – highlighted urgent need for dual-homed OT segmentation.

THERE IS NO PAID DECRYPTOR – IF YOU ENCOUNTER .brt92, POWER OFF IMMEDIATELY AND PROCEED WITH BACKUP RESTORE.

Please share feedback and updated IOC hashes across security lists to disrupt affiliate operations.