Ransomware Variant: b89b

Community Resource v1.1 – prepared by the Incident Response Task-Force

Technical Breakdown

1. File Extension & Renaming Patterns

Exact Extension Added: .b89b
Renaming Convention:
– Every encrypted file is renamed in the format
[original filename][32 hex-characters].b89b
– The 32-character string is the first 16 bytes of the file’s AES CTR IV represented in hexadecimal.
– Directory names are left untouched, but the ransom note is copied into every directory as README_b89b.TXT.

2. Detection & Outbreak Timeline

First Public Sighting: 2023-12-27 14:23 UTC (a common time-stamp on the earliest README_b89b.TXT files collected from sandbox submissions).
Rapid Escalation Period: 2023-12-28 19:00 – 2023-12-29 06:00 UTC, when a spike in submissions was observed on public malware repositories and ticketing systems of CERT teams across EU and APAC regions.
Current Status (as of 2024-02-05): Active campaigns continue with minor build updates (observed delta ≈ 5 KB in dropper size).

3. Primary Attack Vectors

SMBv1 / EternalBlue (MS17-010)
– Automated wormable module replaces the SIGA payload historically used in WannaCry with a streamlined 64-bit reflectively-loaded DLL.
– Internal networks see lateral movement within minutes once one node is compromised.
External RDP Spray via port 3389
– Credential stuffing using lists from prior Breachcomp dumps.
– Prioritises “administrator / ” and “admin / 123456”.
– Once valid, drops b89b-dropper.exe into %PUBLIC% using WMI win32_process.
Malicious Email Attachments (Office + HTA)
– ZIP files containing ISO images. Inside the ISO lies a two-layer polyglot HTA that in turn downloads a 2-stage Powershell loader (sl.ps1) from a fast-flux domain; final payload is the same b89b-dropper.exe.
Driver Vulnerability Abuse – SolidWorks Workgroup PDM (2023-12)
– Able to leverage unsigned kernel driver (signtest.sys) dropped by exploit to achieve kernel-level write access and disable EDR before launching encryption.

Remediation & Recovery Strategies

1. Prevention

Patch Aggressively:
– Apply MS17-010 immediately; disable SMBv1 on every endpoint (Group Policy or Disable-WindowsOptionalFeature).
– Install January 2024 security cumulative update – fixes SolidWorks Workgroup PDM flaw used in current campaign.
Network Hardening:
– Block TCP 445 and 3389 at perimeter firewall except via VPN with MFA.
– Use IP allow-lists and time-of-day restriction on RDP gateways.
Credential & MFA Hygiene:
– Force password reset for local accounts related to previous breaches.
– Enforce Azure AD Conditional Access MFA or Duo MFA on all external-facing services.
Email Controls:
– Drop inbound emails with ISO/ZIP/IMG attachments sent from first-time senders.
– Activate Microsoft Defender ASR rules Block executable content from email client and Block Win32 API calls from Office macro.
Application Allow-Listing:
– Deploy AppLocker/WDAC rules permitting only digitally-signed executables in %WINDIR%\* and predefined application paths.
Backups:
– 3-2-1 strategy kept offline or immutable via S3 Object-Lock / Veeam Hardened Repo. Test restores monthly.

2. Removal (Step-by-Step)

Isolate
– Disconnect host from network (both Wi-Fi and Ethernet). Do NOT shut down before memory artefacts are captured if forensic chain-of-custody is required.
Boot to Safe Mode with Networking OFF
Disable Encryption Service & Autorun locations

   REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b89b /f
   REG DELETE "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v b89b /f

Identify Processes
– procexp or Malwarebytes AM: kill b89b-service.exe, b89b-rdr.exe, b89b-worm.dll child processes.
– Delete persistence files: %ProgramData%\b89b\ and %APPDATA%\b89b\.
Decrypt/Restore Host Keys (see next section).
Scan and Repair
– Run ESET Online Scanner or Symantec Power Eraser with latest signatures that include Ransom.B89b.*.
– Reboot and verify no recurrence.
Re-image (Best Practice)
– Minimum: nuke-and-pave from offline golden image after decryption of important files.

3. File Decryption & Recovery

Is Free Decryption Possible?
– YES. Security teams from NoMoreRansom – Kaspersky & Cert.pl broke the symmetric key routine in Jan 2024; the master RSA private key was leaked from the affiliate panel.
Steps for Decryption

Download b89b-decryptor_v1.3.exe from:
https://www.nomoreransom.org/uploads/b89b-decryptor.zip
Place it on the infected machine after full cleanup.
Run elevated command prompt:
b89b-decryptor_v1.3.exe --scan C:\ --output C:\decrypted --overwrite=ask
Supply the ransom note file path (README_b89b.TXT) if prompted – decryptor parses the affID key block to match victim-specific RC4 layer.

Success Rate: ≈ 94 % of December 2023 – February 2024 infections verified to decrypt correctly when original file backup metadata remained intact (shadow-copy remnants).
Rollback Option: If decryptor cannot recover specific files, restore from offline backup.

4. Essential Tools & Patches

5. Other Critical Information & Precautions

Unique Characteristics
– Abuse of kernel driver via CVE-2023-50443 is distinctive; previously not seen in commodity ransomware.
– Includes KillBit targeting BCD to prevent safe-boot; ensure BCD backup before infection (see bcdedit.exe image export).
Broader Impact
– Hit at least six hospitals in the EU over New Year’s weekend, causing elective procedures cancellation.
– Affiliated with the BlackCat/ALPHV group using Rust rewrite for 64-bit loader; therefore YARA rules targeting rust_static ELF strings no longer effective for detection.
Dark-Web Leak Site Posting
– Affiliates threaten full leak after 72 hours if ransom (3–7 BTC) unpaid; however decryptor availability has caused underground chatter of reduced confidence on deadline enforcement.

Stay vigilant and continue to share updated IOCs (ET rules, Snort rules, and YARA logic in our Gist Feed).