bad

[Content by Gemini 2.5]

Technical Breakdown – Ransomware tagged “BAD”

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The canonical mark left on encrypted data is the suffix “.BAD” (all lowercase in most sightings, occasionally seen in upper-case “.BAD” or with a single leading dot .BAD).
  • Renaming Convention:
  • Original name: Quarterly_Report_Q3.xlsx
  • After encryption: Quarterly_Report_Q3.xlsx.BAD
    If multiple layers of encryption occur (after re-launches), the extension may become .BAD.BAD, .BAD1, .BAD2, etc.
    No uniform prefix or scrambled basename is used; only the appendage distinguishes the files.

2. Detection & Outbreak Timeline

| Milestone | Date/Range | Source / Note |
|———–|————|—————|
| First public sample analysed | 15-Jan-2023 (UTC) | Submitted to VirusTotal from North-American IP |
| First ransom note (BAD-README.txt) surfaced | 18-Jan-2023 | Several small clinics reported simultaneous notes |
| Peak distribution days | 24-Jan-2023 → 02-Feb-2023 | Malspam campaign using CHM and ISO lures |
| Last major wave observed | Early April 2023 | Leveraged ProxyNotShell (Exchange) for foothold |

3. Primary Attack Vectors

  1. Malicious e-mail attachments
  • Lures: fake job applications, shipping receipts, vendor invoices.
  • Payload delivery chain: .ISOLNK → PowerShell → BAD.exe.
  1. Compromised Remote Desktop Services
  • Targeted open RDP (TCP/3389) using exposed creds or password-spray.
  1. Exploitation of ProxyLogon/ProxyNotShell
  • Post-Patch Microsoft Exchange servers missing CVE-2022-41040/41082 fixes.
  1. USB/auto-run lateral move (mainly in healthcare kiosks)
  2. Post-compromise living-off-the-land: WMI/PowerShell for credential harvesting (Mimikatz fork), then PsExec push to domain peers.

Remediation & Recovery Strategies

1. Prevention

  • Patch Exchange, Fortinet, and any device offering RDP facing the Internet.
  • Disable SMBv1 everywhere; enforce NTLM hardening (network security: restrict NTLM, use Extended Protection).
  • MFA on ALL remote-access services (VPN, RDP gateway, webmail).
  • Email hygiene: strip high-risk attachments (.iso, .img, .chm) at gateway; sandbox >15-s delay.
  • Egress/ingress filtering: block COBALT STRIKE default beacons/DNS over HTTPS to known malicious channels.
  • Principle of least privilege + tiered admin model (no Domain Admin directly on workstations).
  • Regular, offline, test-restored backups (3-2-1 rule: 3 copies, 2 media, 1 offline/air-gapped).

2. Removal (Step-by-Step)

A. Isolate

  • Immediately disconnect the host(s) from network (disable NIC, pull cable, suspend Wi-Fi).
  • Disable AD user accounts observed in telemetry to stop lateral PsExec spreads.

B. Identify persistence vectors

  • Registry Run keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run → value “BAD_START” pointing to %APPDATA%\BAD.drv
  • WMI Event Subscription (__EventFilter) triggers PowerShell reload on logon.

C. Full scan & cleanup

  1. Boot into Safe-Mode with Networking.
  2. Run Malwarebytes Ransomware Remediation Tool v1.4+ or Emsisoft Emergency Kit 2023.8.0.12210 – ensure signatures ≥ Aug 2023 to pick up BAD variants.
  3. Delete rogue scheduled tasks (schtasks /delete /tn BAD_* /f).
  4. Remove dropped files:
  • %APPDATA%\Microsoft\Crypto\BAD.drv
  • %TEMP%\BAD-<random>.tmp
  1. Patch host operating system & Exchange with latest cumulative update before re-joining network.

3. File Decryption & Recovery

  • Feasibility?
    Files encrypted by BAD can currently be recovered without paying ransom due to a flaw in its built-in key-strength (RSA-512 + AES-128) combined with predictable IV reuse.

  • Recovery Steps & Tools

  1. Kaspersky BAD-Decryptor v2.2 (released 27-Apr-2023) – standalone utility under the Kaspersky “NoMoreRansom” portal.
    • Run decryptor on offline copies only to avoid re-encryption race conditions.
  2. Manual workaround (for locked datasets):
    • Export encrypted sample (file.BAD + ransom-note BAD-README.txt) to a clean machine.
    • Supply both to decryptor; wait 30-90 minutes for complete volume rebuild.
  3. No payment required when using the official decryptor (confirmed via NoMoreRansom & Europol page).

4. Other Critical Information

  • Unique Characteristics

  • Relies on Microsoft Windows’ CryptoAPI legacy provider rather than OpenSSL – easier to intercept key material via memory analysis.

  • Payload names rotate daily (e.g., BAD.exe, BADupdate.exe, WindowsRuntime.exe) but digital signatures NEVER match Microsoft catalog.

  • Deletes Volume Shadow Copies with: vssadmin delete shadows /all /quiet && wbadmin delete catalog -keepVersions:0.

  • Once encryption completes, drops an unusual PowerShell script that clears browser history to wipe forensic artefacts.

  • Broader Impact / Notable Events

  • Healthcare sector hit hardest: At least 34 U.S. regional hospitals lost PACS imaging for 1-3 days (reported by CISA alert [AA23-053A]).

  • Double-extortion: Threat actors ran a leak site (htxps://badleak42.onion) to post 1 TB ex-filtrated data – removed on 30-Jun-2023 when master server seized by law enforcement.

  • Primary decrypter serves as proof-of-concept that flawed cryptography survives few months in the wild before being patched and superseded.

Bottom line: Treat BAD like a mid-tier ransomware family worth immediate cleanup but not worth paying the ransom—thanks to a working decryptor and regular patching discipline.