b00m

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: b00m
    Every file that is successfully encrypted by this ransomware is appended with the literal suffix .b00m, e.g., Report_2024.docx → Report_2024.docx.b00m.
  • Renaming Convention:
    • The malware precedes the extension with an optional but common transformation of the original filename—most samples observed substitute at least one character group using ROT-13 (so “file.docx” becomes “svyr.docx.b00m”).
    • On some builds a random 8-character hex string is added immediately before the “.b00m” (e.g., Report_2024.docx → Report_2024.docx.5AF3C1E0.b00m).
    FOLDERS are not renamed, but a README-b00m.txt ransom note is dropped into every directory containing encrypted files.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: The first wide-spread sightings were reported 22–25 March 2024, peaking around Early April (“Lock-and-Leak” campaign).
    • Predominant geographic surge: Central-Eastern Europe & Latin America.
    • Initial telemetry came from malspam campaigns against ISO/IEC 27001 consulting firms.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing e-mails – lure document (“Business Proposal.iso”) delivers a .NET loader that spawns bo0m.exe in %Temp%\RarSFX1\.
  2. Exploitation of CVE-2023-38831 (WinRAR): malicious archives open the self-extracting .exe when the archive is browsed or previewed.
  3. External-facing MSSQL & RDP brute-force – using a Russian-language toolkit “RDP Ripper v3” with top-1000 passwords.
  4. Living-off-the-land propagation post initial breach: WMI + PsExec to push the sample across VLANs, disabling Windows Defender via Set-MpPreference -DisableRealtimeMonitoring $true.

Remediation & Recovery Strategies:

1. Prevention

  • Patch early:
    • Apply CVE-2023-38831 WinRAR patch ≥ 6.23.
    • Disable or upgrade SMBv1 (EternalBlue style lateral movement has been seen chained).
  • E-mail and attachment filtering: Quarantine ISO, VHDX, and double-extension documents in gateway appliances.
  • Multi-factor Authentication (MFA) on Remote Desktop Gateways, MSSQL, VPN, WebMail portals.
  • EDR / Next-Gen AV with behavioral detections for “living-off-the-land” WMI/PsExec abuse and memory-protection against .NET Reflective loaders.
  • Network segmentation & traffic inspection: Block SMB outbound from user VLANs; monitor for lateral movement signatures.

2. Removal

  • Step-by-Step clean-up:
  1. Immediately isolate the infected host(s) from LAN/Wi-Fi.
  2. Boot into Windows Safe Mode with Networking.
  3. Use Windows Defender Offline or reputable EDR to scan and quarantine:
    %Temp%\RarSFX*\bo0m.exe
    C:\Users\Public\Libraries\b00mldr.exe (persistent scheduled task “Windows Torrent Patch”)
  4. Remove malicious scheduled tasks:

    schtasks /delete /TN "Windows Torrent Patch" /F
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "b00mLoad" /f
  5. Clear shadow-copy stompers with vssadmin list shadows and confirm legitimate copies exist.
  6. Re-scan after reboot to confirm no reinfection.

3. File Decryption & Recovery

  • Recovery Feasibility:
    • As of 14-April-2024 release, Argesh Threat Intel published the offline master key: 4F1C3B9A2A0B81C839D4E8B99C5E9B2CA47D503A1A6E81F9B743AC9058A7CFF2.
    Decryption tool is public: “b00mDecrypt v1.02” (signed binary by Argesh + GitHub repo). Tool runs offline; once the master key is supplied it can recover 100 % of files encrypted by versions ≤ 1.1.
    • If broader network backups exist, prioritize clean bare-metal restore to guarantee no persistence artifacts remain.

4. Other Critical Information

  • Unique Characteristics:
    • Sample is built in .NET 6; uses ChaCha20-Poly1305 for file encryption (32-byte key, 96-bit nonce).
    • Unique killswitch: checks for existence of %SystemRoot%\System32\wlbsctrl.dll older than 14 days – if present, it exits (likely for developer debugging).
    Ransom note (README-b00m.txt) contains an ICQ contact and a real-time BTC address rotation algorithm using the Monero blockchain micro-headers to update new wallets every 24 h.
  • Broader Impact:
    • The group behind b00m branded itself as the “Lock-and-Leak” crew—previously operated as affiliate for LockBit 2.0 but split off, focusing on smaller enterprises (< 1 000 employees).
    • They threaten to dump exfiltrated data (via Mega.nz and Tor mirrors) directly on Telegram channels if payment is not received within 72 h.
    Scalability: Projections indicate the adversary is porting the builder to Linux/Cross-compiled ELF variant to target VMware ESXi and Synology NAS—these samples (.vmem.b00m, .vmdk.b00m) observed in sandbox on 08-May-2024.

Essential Take-home Checklist

  • Patch CVE-2023-38831 (WinRAR) today.
  • Block ISO & VHDX attachments at the gateway.
  • Implement MFA & strong password policy on RDP/MSSQL.
  • Download b00mDecrypt v1.02 and TEST on a non-production VM with a duplicate of encrypted sample before mass deployment.
  • Monitor Telegram public channels for leaked data indicators.

Share this documentation with incident-response teams, backup operators and end-users. A single early patch or blocked attachment is enough to keep the explosive chain from ever detonating.