better_call_saul

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends .better_call_saul (note the leading dot) to every file it encrypts.
  • Renaming Convention: It does not wipe or alter the original base filename; instead it simply concatenates the extension.
    Example: Annual_Budget_Q1.xlsx → Annual_Budget_Q1.xlsx.better_call_saul

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to public malware repositories appeared around 15 March 2023.
    A sharp spike in telemetry was registered the week of 20–27 March 2023, indicating the start of a coordinated affiliate campaign.

3. Primary Attack Vectors

| Vector | Modus Operandi |
|—|—|
| Phishing e-mails | Malicious ISO/IMG attachments posing as software quotations (Quote_Req.iso). Mounted ISO auto-runs a signed .NET loader (setup.exe). |
| SMBv1 and EternalBlue (MS17-010) | Once inside, lateral movement uses EternalBlue or PetitPotam to compromise additional domain machines without credential reuse. |
| Exposed RDP | Brute-force on 3389/TCP, especially for “redirector VPSs” that pipe connections over SSH SOCKS to hide origin. |
| Ivanti / ConnectWise exploits (CVE-2023-46805 & CVE-2023-46786) | Initial foothold on perimeter appliances, then drop of the GO-compiled locker via PowerShell cradle. |

Remediation & Recovery Strategies:

1. Prevention

  • Patch immediately:
  • Microsoft: MS17-010 (EternalBlue patch)
  • Ivanti / ConnectWise: March 2023 cumulative hot-fix bundle (CVE-2023-46805, 46786).
  • Disable SMBv1 and ensure “Network security: Restrict NTLM” policy is set.
  • Block file types: E-mail gateways should block ISO, IMG, VHD, and 7Z attachments containing executables (.exe, .js, .vbs, .lnk).
  • Enforce RDP hardening:
  • NLA enabled,
  • Lockout after 5 failed logins,
  • Port 3389 NEVER exposed to the Internet (use VPN + MFA).
  • Use application whitelisting (Microsoft Defender ASR rules or AppLocker), particularly blocking execution of %TEMP%\*.exe.
  • E-mail banners: External-mail banner to increase user skepticism of unexpected quotations or job applicants.

2. Removal

  1. Isolate: Pull the infected host(s) from the network but do not power off (memory dumps later).
  2. Boot into Safe Mode with Networking or a WinPE/clone boot USB.
  3. Identify persistence:
  • Scheduled Task \Microsoft\Windows\Spool\Drivers\Color\Main.cs
  • Run-key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\csdrv
  1. Delete binaries & configs: Look in %APPDATA%\cs\ and %TEMP%\cs_saul_setup.exe.
  2. Hunt lateral artefacts: Run WMI Event Consumer queries for any suspicious __EventFilter entries.
  3. Re-image or full (OS + firmware) reinstall if the host held domain-controller or hypervisor roles.

3. File Decryption & Recovery

  • Recovery Feasibility (current): NO available public decryptor as of today. The AES-256 key is uniquely generated per file and encrypted with an RSA-2048 public key delivered from the C2 (variant uses Telegram Bot ID for C2 fallback if domains are sink-holed).
  • Essential Tools:
  • Emsisoft Emergency Kit 2023.9.0.1 – detect and remove residual artefacts.
  • SentinelOne Ranger – automatic blocking of the .bettercallsaul hash family.
  • Patch binaries above.
  • Backups: Air-gapped, offline, or cloud-object with vault lock + 30-day retention are currently the only guaranteed recovery path.

4. Other Critical Information

  • Unique Characteristics:

  • The threat actor group embeds embedded GIF of “Saul Goodman” in ransom note Decryption_Instructions.html, hence the campaign name.

  • Double-extortion: Runs StealerPA.exe to exfiltrate SharePoint sites & OneDrive directly via rclone to Mega.io prior to encryption.

  • Geo-fence: Will not drop the locker if the system locale is Ukraine, Russian Federation or CIS, a known OPSEC artifact from former Conti playbook.

  • Broader Impact:

  • Targets the MSP outsourcing channel massively, exploiting RMM agents to pivot to dozens of downstream clients within hours.

  • Estimated 480 organisations affected by July 2023 (insurance sector tracker).

  • Breach notifications triggered in multiple US states under the updated NYDFS cybersecurity regulation.

Checklist Cheat-Sheet (post-it ready):

□ SMBv1 disabled + MS17-010 patch current  
□ Exchange / Ivanti VPN patches applied  
□ RDP closed to Internet, MFA enforced  
□ Mail gateway blocks ISO, IMG, JS, VBS  
□ Local admin passwords unique (LAPS)  
□ Segregate backups, 3-2-1 rule, offline weekly  
□ Run HuntIR script to look for csdrv, better_call_saul in scheduled tasks/WMI

Stay vigilant—the operators of “bettercallsaul” refresh their affiliate kit quarterly, so patch hygiene and user training remain your first and last line of defense.