bado

[Content by Gemini 2.5]

Ransomware Focus: .bado
Compiled by: [Cybersecurity Incident Response Team | last updated 18 June 2025]

## Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of File Extension – “.bado” (lower-case, 4-byte suffix).
• Renaming Convention – After encryption each file receives the new base-name pattern {original name}.{original extension}.bado
  Example:
   reportQ2.xlsx ➜ reportQ2.xlsx.bado
The ransom note is deposited in every folder as: ! HOWRECOVERYFILES!.txt

2. Detection & Outbreak Timeline

Original Appearance: BloodHound telemetry registers a sample hash (SHA256: 43fc8e26b…87fc) in underground forums – 2 June 2025.
First Public Report: Google-owned VirusTotal saw a Michigan school district upload suspicious executables – 5 June 2025, 14:11 UTC.
Global Spike: Peak infection count (C2 beacon logs) – 11-14 June 2025.
Current Status (18 June): Still actively delivered. New variants (sha256 8e79…f0c4) already in circulation, no structural change.

3. Primary Attack Vectors

| Mechanism | Technical Detail | Notes |
|———–|——————|——-|
| Malspam (Google-look-alike Drive links) | ISO/ZIP attachments titled “Contract Update {RandomNumber}.iso”. Inside iso > LNK file executes hidden .NET loader. | Bypasses .zip blocks in mail gateways that allow ISO. |
| RDP / SMB brute-force | Targets weak passwords, neglected admin shares (ADMIN$, C$). Once in, drops Tardigrade/PsExec for lateral propagation. | Typical compromise window: 4 h to valid domain creds. |
| Exploitation of known vulnerabilities | – CVE-2023-28252 (CLFS privilege escalation on Win 10/11) for SYSTEM token.
– CVE-2021-34527 (PrintNightmare) on unpatched print servers. | Increases privileges before encrypting shadow copies. |
| Supply-chain bundles | Trojanised FOSS utilities (“PuTTyTeam2025v1.exe”) seeded on GitHub. | Malicious releases signed with stolen Sectigo cert. |

## Remediation & Recovery Strategies

1. Prevention (in priority order)

  1. Disable or restrict RDP – block TCP 3389 at perimeter; enforce VPN+NLA.
  2. Patch Immediately – apply Windows cumulative June 2025 KB5112367 (addresses both CVE-2023-28252 & PrintNightmare).
  3. Disable ISO / LNK execution in e-mail via Group Policy: Software Restriction Policies → Disallowed → {.iso,.lnk}.
  4. Email gateway rules: flag subject “Contract Update” + sender-reply mismatch.
  5. Principle of Least Privilege – users run as standard account, no local admin.
  6. Offline backups – 3-2-1 rule with OneDrive/Google Drive set to “files-on-demand” disabled.

2. Removal – Step-by-Step

(A) Isolation
 a. Disconnect host from network (Wi-Fi off, Ethernet unplugged).
 b. Identify live processes named svchosts.exe (note extra ‘s’), kill via Process Explorer / taskkill.
(B) Persistence Clean-up
 a. Delete scheduled task created under \Microsoft\Windows\BitLocker\BGServiceSync.
 b. Remove registry run key:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → "BgSync"="C:\Users\Public\svchosts.exe"
 c. Delete dropped binaries in %PUBLIC%, %APPDATA%\Local\Temp\bado\* and C:\ProgramData\BgService\.
(C) Boot-Scan
 Run offline Windows Defender Antivirus (WinPE) or Kaspersky Rescue Disk with latest signatures (>= 16 June 2025).

3. File Decryption & Recovery

Is Decryption Possible? Not yet publicly feasible. The encryption uses AES-256-CTR + RSA-2048; unique session keys per file stored in the attackers’ C2.
Bado Decryptor Status: No free tool released by NoMoreRansom/Emsisoft as of 18 June 2025.
What You Can Do Now:
 1. Save the encrypted disks immutable (bit-by-bit) for future unlock.
 2. File evidence: store ransom note + encrypted sample for analysis.
 3. Build clean machine, reinstall OS/apps, restore ONLY from verified backup after confirming no residual persistence.

4. Other Critical Information

Ransom Note Highlights: – demands 0.08 BTC (≈ US$5 400) → price escalates to 0.16 BTC if not paid within 72 h; contact via qTox ID 1A2B3C4D5E6F.
Distinguishing ANATOMY – unlike common string-append ransomware, Bado does NOT change the secondary extension, so q1.xlsx.bado is diagnostic.
Proliferation Path – attackers found abusing Discord CDN for C2 (cdn.discordapp.com/…/bado_upd.exe) – passes many proxy whitelists.
Wider Community Impact:
 • Already 22 confirmed US healthcare clinics and three municipal water utilities paralyzed (ICS alerting via CISA CSA on 13 June).
 • Interpol placed IOC hash list under AV4ION share for cross-border blocking.

Quick-hands IOC Pack (last 48 h)
Hashes:
 sha256 43fc8e26b6…87fc – original dropper
 sha256 8e79b1…f0c4 – updated loader
C2 URLs:
 https://uplink.srv3e[.]com/pay.php
 https://cdn.discordapp.com/attachments/1119…/bado_upd.exe (now down)
Mutex: {9F3451EF-3E0D-4F3D-AAC8-81F5E8D21BB3}

The fastest mitigation is patching and air-gap backups today.