Smaug Ransomware (.BUDAK) Threat Advisory

Comprehensive Guide for Defenders & Victims

Technical Breakdown

Confirmation of File Extension: .budak is appended to every encrypted file (lower-case, never uppercase).
Pattern:
<original_name.id-<8-char_hex_user_id>.[attacker_email1.attacker_email2].budak>
Example → spreadsheet.xlsx.id-A7B3E8D1.[[email protected]@tutanota.com].budak

First public sighting: 07 March 2024 (submitted to ID-Ransomware by an IT-admin in Turkey).
Widespread campaigns noticed: Mid-April 2024 — coincided with mal-spam exploiting the Microsoft SmartScreen bypass (CVE-2024-21412).
Latest observed samples: Thru 28 May 2024 (continuous minor binary changes to evade static AV signatures).

Phishing Email with Malicious MSIX / ISO Lures
– Mails themed “Pending invoice” / “Tax refund documents” delivering ISO files (size 2-4 MB) → DOCUMENT.iso → setup.exe (NSIS installer calling PowerShell to grab next-stage .NET loader from a Discord CDN URL).
Compromised Public-Facing Servers
– Wholesale use of CVE-2023-42793 (typically found in retail/ERP web portals) to drop wmiget.exe (remote access tool) followed by Smaug dropper.
RDP Brute-force & Credential Stuffing
– Botnets sourced from 2022 credential dumps (RockYou2021 tables). Once an administrative RDP session is breached, PSExec.exe is used to push Smaug to all reachable hosts.
Malvertising & Search-engine poisoning
– Google/Bing ads for cracked versions of software (AutoCAD, Adobe Illustrator) linking to sites serving WinRing0.sys-signed kernel driver + Smaug installer.

Patch urgently:
– Microsoft SmartScreen bypass → KB5034441 (Windows) or latest Edge/Chromium.
– Web apps → confirm fix for CVE-2023-42793.
– SMB stack → disable SMBv1; require SMB encryption + modern dialect (3.1.1).
E-mail & Browser hardening:
– Block ISO, IMG, VHD email attachments at the gateway.
– Restrict Office macros to signed macros originating from trusted locations.
– Enable Microsoft Defender ASR rule “Block executable content from email client and webmail”.
Remote-access posture:
– Require MFA on every RDP endpoint (Azure AD + NPS extension or Duo/RSA).
– Restrict RDP to VPN interface only; enforce lockout after 3 failed attempts; rename built-in Administrator account.
Backups & Network segmentation:
– 3-2-1 backups (3 copies, 2 media, 1 off-site/off-network). Perform daily incremental / weekly full – test restores quarterly.
– Segment file servers via VLANs; block ransomware lateral movement using Windows Firewall or NGFW rules that deny workstation-to-workstation SMB.

Isolate:
– Disconnect affected machine(s) from network (both Ethernet & Wi-Fi).
– Disable any mapped shares or backups visible to the infected host.
Forensic preservation:
– Image disks with FTK Imager → store the hash.
– Capture volatile memory (Belkasoft RAM Capturer) if the machine is still on.
Triage & wipe:
– Boot from trusted offline Windows PE and run:
```
 Microsoft Safety Scanner (MSERT.exe) with /f:y /q  
 ESET Online Scanner “/clean-mode”
 HitmanPro (offline definitions)
```
– After AV logs show 0 threats (cross-reference multiple engines), format primary disk and re-image with fresh OS build; do NOT reuse existing system partitions.
Network-wide hunt:
– Search SIEM / EDR for:
– Process version.dll loaded by smartscreen.exe (side-loading)
– Outbound DNS TXT queries to domains ending .top, .ink (DGA)
– Recovery-note filenames !README_BUDAK!.txt on shares.

Decryption Feasibility: No – files are encrypted with Salsa20 symmetric key + RSA-2048 public-key wrap. Keys are only stored on attacker server.
Known decrypter: None at time of writing (31 May 2024).
Best recovery path: Restore from offline, immutable backups (e.g., Veeam Repository with “Backup Jobs Can’t Be Deleted” flag, or AWS S3 bucket versioning + Object Lock).
Free alternatives to try:
– ShadowExplorer / Windows’ “Previous Versions” (only works if VSS snapshots weren’t wiped).
– Windows File History, OneDrive/SharePoint recursion; Google Drive “manage versions”.
– Hunt for unencrypted left-overs (.tmp, .bak, .old) – rare but occasionally complete.

Kill-switch / Vaccine: None discovered.
Ransom note: !README_BUDAK!.txt dropped on Desktop & each drive root. It provides two e-mail addresses ([email protected], [email protected]) and a unique Tor chat link for victims.
Encryption order:
– Network shares alphabetically first (\\FileServer01, \\FileServer02, …).
– Skips %windir%\*, %programfiles%, and executables < 7 MB (maximizing fast damage).
Data exfiltration before encryption: “SmaugEx” component (darknet leak-site smaug3xr2j7nimfd.onion) – they threaten to leak 30% of stolen data if ransom is not paid within 72 h.
Notable targets: Healthcare clinics in Central Europe (leak site shows 3 victims), an Asian logistics company (230 GB exfiltrated).

Patch & protect now before the Monday morning mal-spam wave.
Print & store this guide OFFLINE – attackers often delete recovery knowledge bases from infected systems.
Report incidents to national CERTs (e.g., US-CERT, EU ENISA) even if you plan to recover from backup; it helps correlate trends and deliver decryption keys should they surface later.

Stay resilient, patch fast, back up daily, and never pay – #SmaugPaysNone.