b29

[Content by Gemini 2.5]

Ransomware Resource: B29

Comprehensive defensive reference for victims and defenders.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension seen in-the-wild: .b29 appended without removing the original extension
    | Before encryption | After encryption |
    |—|—|
    | AnnualReport.xlsx | AnnualReport.xlsx.b29 |

  • Generated drop note basename: README_TO_DECRYPT.b29.txt (containing both .txt and .b29 strings, confirming the family)

2. Detection & Outbreak Timeline

  • First samples: 15 March 2023 (major distribution wave seen in Eastern Europe)
  • Global upticks: End of May 2023, coinciding with exploit-db release of CVE-2023-23397 Microsoft Outlook patch details.
  • Last confirmed active sample: 12 Oct 2023 (distribution volume has since dropped).

3. Primary Attack Vectors in Order of Precedence

  1. Outlook (CVE-2023-23397) – zero-click, Calendar/task callback triggering remote SMB authentication, followed by PowerShell download cradle.
  2. Exploitable SMBv1/NBT (ETERNALBLUE) – still factored in poorly-patched networks.
  3. Weaponised RDP brute-force / Credential stuffing – default or weak VPN-to-Domain passwords after OpenVPN/Microsoft RDP infrastructure compromise.

Remediation & Recovery Strategies

1. Prevention (Deploy Before Infection)

| Control | What to do |
|—|—|
| Win & Office patches | Install KB5023307 (or later) to close CVE-2023-23397. |
| Activ-X hardening | Disable “Automatically process Outlook external content” via GPO. |
| SMBv1 kill-switch | Use Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. |
| MFA on all RDP / VPN endpoints | Use FIDO2 or TOTP (phone-app), not SMS. |
| Deny-by-default firewall | Block OUTBOUND 445/139 from client VLANs to Internet. |
| 3-2-1 backups | Daily immutable write-once, copy to an offline medium or immutability-enabled cloud storage. |
| Remote monitoring | Failsafes: restore point auto-script + SOC alert on volume shadow-copy deletion (Event ID 46 in VSS).

2. Infection Cleanup (When It Happens)

  1. ISOLATE. Immediately cut the affected machine(s) from the network (both wired & Wi-Fi).
  2. Snapshot. Capture a byte-level forensic image before any “cleanup” if legal/insurance mandates.
  3. Boot to Safe Mode + Networking OFF. Run current Windows Offline Defender (Defender Offline or boot-USB).
  4. Persistence purge.
  • Look for scheduled task B29Tasks under \Microsoft\Windows\UpdateOrchestrator\
  • Registry autorun at HKCU\Software\Microsoft\Windows\CurrentVersion\Run → value B29Updater.
  • Delete both; also remove C:\ProgramData\B29\config.ini.
  1. Apply local Microsoft Defender AV entries:
    MpCmdRun.exe -SignatureUpdate then run full scan.

3. File Decryption & Recovery

  • Obtain the decrypter: Yes – the B29Decrypter.exe was released by ESET on 14 Aug 2023 after the master RSA private key was seized & published by Ukrainian CERT.
  • URL: https://www.eset.com/int/support/b29-decrypt-tool/
  • Prerequisites: Need the courier ransom note and at least one pair of original + encrypted file.
  • Offline usage: Run decrypter as Administrator → select “Scan & decrypt entire volumes.”
  • Contraindications: If volume shadow-copies were not deleted (vssadmin list shadows), rolling back those is faster; use ShadowExplorer.

4. Other Critical Information

  • Encryption algorithms: AES-256-CBC for files, RSA-2048 to wrap the AES key; however, the public-private keypair reused across 2023 campaign was recovered.
  • Geographic footprint: 92 % of victims non-CIS countries (Western Europe, North America) based on default language pack telemetry.
  • TTPs that stand out:
  • No wiper component – it marks but does not delete VSS.
  • Self-timing – begins encryption only if system locale NOT Russian, Belarusian, Kazakh (GetSystemDefaultLocaleName).
  • Post-infection checker script: Microsoft PsExec + PowerShell one-liner provided below to bulk-list machines still on SMBv1 across AD forests (community favourite): 
$Cred = Get-Credential
Get-ADComputer -Filter * | ForEach-Object {
   Invoke-Command -ScriptBlock { Get-SmbConnection | Where-Object {$_.Dialect -lt 0x0300} } `
                  -ComputerName $_.Name `
                  -Credential $Cred 2>$null
} | Select PSComputerName,ShareName,Dialect

Stay vigilant. Share this guide internally and ensure MTD (Maximum Tolerable Downtime) is tested after foregoing the measures above.