Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .bush (e.g., Document.docx.bush) Renaming Convention: – Appends a static .bush extension after the original file name and its original extension. – Moves the file to a new, randomly-named folder inside the original directory so path\to\file.ext becomes path\to\\file.ext.bush. – Drops a marker file named…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .busavelock53 Renaming Convention: Files are renamed in the format <original_name>.<encrypted>[-<random_8_hex>].busavelock53. Example: QuarterlyReport.docx becomes QuarterlyReport.docx.encrypted-fc9a1b2e.busavelock53 The optional “-fc9a1b2e” suffix is appended only when the encryption routine detects name collisions (i.e., more than one file shares the same original filename in the same directory), making…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends .busavelock* (* is a wildcard that usually resolves to a random hex digit or 6–11 character hash, e.g. .busavelock2, .busavelock5). Renaming Convention: Original filename → <original_name>.busavelock<id> Example: invoice_2024-03.pdf becomes invoice_2024-03.pdf.busavelock3 2. Detection & Outbreak Timeline Approximate Start Date/Period: First seen…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends the exact extension .burn to every encrypted file. Renaming Convention: Original name → <original_filename>.<original_extension>.burn Example: Report_2023.xlsx becomes Report_2023.xlsx.burn 2. Detection & Outbreak Timeline Approximate Start Date/Period: The first wide-scale infections tagged as “.burn ransomware” were observed late-December 2022. The spike…

Ransomware Deep-Dive – File Extension .bunny Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: bunny (exact string, no leading dot). Renaming Convention: Victim files are renamed in the form: [original_stem] ID-[8-hex-char VICTIM-ID].bunny Examples: • Budget Q3.xlsx → Budget Q3 ID-3FA9C71B.bunny • CustomerDB.sql → CustomerDB ID-3FA9C71B.bunny 2. Detection & Outbreak Timeline First…

BumCoder Ransomware Deep-Dive Last updated: 2024-06-XX Technical Breakdown: 1. File Extension & Renaming Patterns | Attribute | Detail | |———–|——–| | Confirmation of File Extension | Encrypted files are re-suffixed with .bumcoder (case-insensitive on Windows, case-sensitive on Linux builds). | | Renaming Convention | [original-name][10-byte_hex_hash].bumcoderExample: Invoice_2024.xlsx → Invoice_2024.f3a1c6e2b4.bumcoder | 2. Detection & Outbreak Timeline |…

Ransomware Profile – .bulwark7 Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .bulwark7 (e.g., report.xlsx.bulwark7, backup.zip.bulwark7). Renaming Convention: After encryption the Trojan keeps the original name and simply appends the literal string .bulwark7. No additional fields (random IDs, attacker e-mail, etc.) are inserted. NTFS alternate data streams are not modified; only…

Below is a single-source guide you can keep on-hand when “bulock*” (the typographical wildcard matches the actual on-disk extension “.bulock”) strikes. Everything is presented from a defender’s point of view and reflects the latest open-source intelligence and law-enforcement data up to 2024-06. Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension:…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: Every file encrypted by the ransomware adds the literal suffix .bulanyk (lowercase). Renaming Convention: Original → Annual-Report.xlsx._bulanyk_[24-hex-ID]_<PASSWORD>_<DATE>@protonmail.com.bulanyk 24-hex-ID = victim-specific identifier written under C:\ProgramData\.bulanyk PASSWORD = tiny, 4–8-character string attackers later demand as “proof-of-purchase” E-mail = contact address embedded in the filename itself,…

Technical Breakdown – “Bukyak” Ransomware (File-Extension-Based Family) 1. File-Extension & Renaming Patterns Confirmation of File Extension: .bukyak Renaming Convention: Bukyak performs a single-pass file renaming after encryption: original_name[32-char_lowercase_HEX_ID].bukyak The inserted 32-character hex string is the lower-case victim-ID that the malware embeds in the ransom note and POSTs to its C2 server. Example: Monthly_Report.xlsx → Monthly_Report.xlsx[1a9f571e02a4bcd4e003cd21876543f2].bukyak…