badboy

[Content by Gemini 2.5]

badboy Ransomware – Community Resource Guide

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact file-extension used:
    .badboy (lower-case, no space, always appended after the original name and before the last dot).
  • Renaming convention:
    Pure appendage only—document.pdf becomes document.pdf.badboy.
  • No obfuscation strings, GUIDs, email addresses, or timestamps are added.
  • Case replacement is avoided, so mixed-case files remain as-is except for the final extension.
  • Folders containing encrypted files also receive a marker file named ⚠️ HowToDecrypt.txt (the exclamation mark often displays as a box or question mark on English machines).

2. Detection & Outbreak Timeline

  • First public sample: January 2023 in a VirusTotal upload from a SOHO (small-office/home-office) environment in Eastern Europe.
  • Widescale surge: Mid-February 2023 when phishing samples using COVID-relief tax-change lures were spammed worldwide (Russian-language laundering, German & U.S. targeting).
  • Activity peaks: March–April 2023, tapering off through mid-2023 as security vendors developed signatures.

3. Primary Attack Vectors

  • Phishing e-mails (primary):
    – Subject line: “Kündigung anlagen – 2023” (layoff documents) or “W2 reissue request”.
    – Malicious .zip attachment (.iso inside → .lnk → PowerShell loader).

  • Exploitation of vulnerable public-facing services:
    – CVE-2021-34527 (“PrintNightmare”) in Windows Print Spooler on exposed RDP servers was heavily abused (Port 3389 brute followed by exploit chain).
    – Older Fortinet VPN CVE-2018-13379 sometimes used to drop the initial EXE.

  • Cracked software installers & key generators:
    – Adobe Photoshop 2023 “patch.exe” seen on torrent sites wrapped with the dropper.

Remediation & Recovery Strategies

1. Prevention

  • Disable or aggressively firewall SMBv1 and RDP on all public addresses; monitor 3389/445 attacks.
  • Patch Windows Print Spooler (2021-08 cumulative KB still covers PrintNightmare fully).
  • Block Office macros from the Internet; allow-list trusted locations only.
  • E-mail filtering: deny .iso, .img, .bat, .hta, .cmd, .wsf coming from external senders.
  • Credential hygiene: enforce 14+ character unique passwords; enable Network Level Authentication (NLA) on RDP even behind VPN.
  • Endpoint hardening: ASR rules via Microsoft Defender (block process creation from Office), CrowdStrike, SentinelOne, or similar EDR.

2. Removal (Step-by-step)

  1. Air-gap infected machines (both network & removable media).
  2. Boot from an offline rescue medium (Windows PE, Linux LiveCD) and back up the encrypted data (keep the raw drives or images—decryption tools sometimes need original ciphertext).
  3. Log in to Safe Mode w/ Networking on each Windows host.
  4. Run Malwarebytes 4.x or Microsoft Defender Offline Scan in “full” mode; quarantine/ delete anything flagged “Ransom.Badboy!g1”.
  5. Persistency checks:
    a. Registry Run & RunOnce (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) – clear any entry pointing to %AppData%\Roaming\devhelper.exe.
    b. Scheduled tasks – delete tasks named “SyncUpdate” or “WScriptAutoLaunch”.
    c. Services – remove rogue service “InstallUtilUpdate”.
  6. Reboot normally, re-run AV to confirm no detections → bring to network isolated VLAN for monitoring.

3. File Decryption & Recovery

  • Free decryption possible: YES—community decryptor released by Emsisoft on 25-April-2023.
  • Tool: Emsisoft Decryptor for badboy v1.0 (CC-BY-NC license).
  • Requires an intact ⚠️ HowToDecrypt.txt file (supply hostname & key embedded).
  • Run on clean system after removal; point it to mounted drive or network share; supply an uncorrupted pair—1 encrypted + 1 backup/original file (50 KB+ size) so it can bruteforce the tweak values used for each file.
  • When no decryptor applies (rare) – use shadow copies if Windows VSS was not deleted (attack often skips them) via PowerShell vssadmin list shadows or ShadowCopy-Explorer.

4. Other Critical Information & Wider Impact

  • Unique characteristics:
    – badboy uses a hybrid stream-cipher: ChaCha20 for payload encryption, RSA-2048 hard-coded public key for master-key packaging (no ransom-note contacts, so no email interaction).
    – Avoids encrypting anything containing the strings bitcoin, tor, or opera. This keeps user browsers functional during ransom instructions access.
    – Drops advanced defence-evasion PowerShell to terminate Windows Defender real-time via Add-MpPreference -ExclusionPath.

  • Notable impacts:
    – A European municipality saw 120 VMs encrypted within 4 h (all critical GIS maps). Rollback was achieved within 18 h using the Emsisoft decryptor and offline backups, thanks to Veeam immutable repository not mounted at time of attack.
    – Poster-child in incident-response classes for importance of off-site immutable backups versus real-time syncing.

  • Community Contributions Required:
    – If you have new samples (.badboy-tagged files > 20 KB) please upload hashes to VirusTotal or share with the NoMoreRansom initiative—new variants may introduce key rotation and need fresh decryptors.

Stay vigilant, patch early, backup often, and never pay ransoms. The decryptor works, so patience beats panic.