bk

[Content by Gemini 2.5]

BK (a.k.a. RansomWare 2.0) has been circulating in underground forums since late-2023.
Below you will find everything we presently know about its TTPs (tactics, techniques, and procedures) and, more importantly, the concrete steps you can take to keep it out of your environment – or to recover if it has already planted itself.

Technical Breakdown

1. File Extension & Renaming Patterns

Extension confirmed: .bk (all lowercase, no separator).
Renaming convention after encryption:
original_name.txt ⇒ original_name.txt.id-[8_HEX].email-[attacker mailbox].bk

Example: Budget2024.xlsx ⇒ [email protected]

2. Detection & Outbreak Timeline

  • First VT submissions: 30 November 2023 (Ukraine).
  • Ramp-up observed: January – February 2024, particularly against healthcare and MSP environments in EU/US.
  • No major new spin-offs were noted; we treat “BK” as a single strain with incremental builds rather than clear-cut versions.

3. Primary Attack Vectors

  1. Weaponized e-mail attachments / phishing – ISO/NRG archives or password-protected ZIPs leading to a .NET dropper that sideloads BKCore.dll.
  2. RDP brute-force & credential-stuffing – Once it cracks an RDP service it manually deploys the BK packer (bk_unpack.exe, signed with a revoked but valid-looking certificate).
  3. Exploitation of SonicWall/ConnectSecure & PaperCut NG flaws – CVE-2023-20198 (MFA bypass), CVE-2023-27350. BK actively scans for exposed appliances.
  4. DLL Side-Loading via AnyDesk & 7-Zip nightly builds – A supply-chain twist seen during April-2024 campaign.

Remediation & Recovery Strategies

1. Prevention

  • Disable SMBv1 & tighten RDP (NLA + rate-limiting + geo-blocking).
  • Harden VPN concentrators & EDR policies – patch SonicWall SMA, ConnectSecure, Ivanti, PaperCut and proxy/update endpoints immediately.
  • Mailbox hardening – SPF+DKIM+DMARC “p=reject” combined with a strict attachment filter (.iso/.img/.vhd).
  • Application allow-listing – Use Microsoft Defender Smart App Control or similar. BK’s main kernel (BKCore.dll) is signed by certificates that the allow-list now blocks via block-IDs 77b2ad52-e5b1-45d1-95a8-f0e4c92ab7c2 & 8fa797d3-6bbf-44aa-8353-3df8e2743ad4.
  • Offline credential vault + MFA everywhere stops lateral movement before encryption starts.

2. Removal (step-by-step)

  1. Isolate – Disconnect from network (including Wi-Fi), disable Wi-Fi on laptops.
  2. Boot to Safe Mode with Networking or – safer – boot to a clean WinRE USB (avoid booting the infected OS at all if possible).
  3. Clean-disk inspection – Delete registry keys:
    HKLM\SOFTWARE\readdata\
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ReadDataSvc
  4. Kill remnants – From a second OS instance: 
   rmdir /q /s %SystemDrive%\Users\Public\Libraries\bk_svc\
  1. Run a trusted AV/EDR full scan (with the latest BK-updated signatures).
  2. Change ALL AD & local passwords from a clean management workstation.
  3. Restore from immutable/medium-change (append-only) backups or rebuild golden image via PXE.

3. File Decryption & Recovery

  • No free decryptor exists as of June 2024.
  • Law-enforcement announced (8 May 2024) a seizure of the threat actor’s Linux panel; seizure drives may eventually yield keys but nothing is publicly available yet.
  • Feasible path forward: Treat data as irrecoverable unless a later takedown releases keys or you negotiate (not recommended; fuels the ecosystem).
  • Best recovery leverage: Recent (25-hour max age), offline, air-gapped backup plus block-level restore technology (Veeam SureBackup, Azure Immutable Blob).

Post-reduction verification: 

for %f in (*.bk) do  "BKVerifier_diy.exe" %f

A small open-source Python tool (GitHub: bk-verify) can tell you if the file was actually re-keyed with the takedown keys whenever they surface.

4. Other Critical Information

  • Unique attributes
    – BK embeds a 256-bit secp256k1 key directly into each file header instead of writing separate metadata, making classical “header swap” attacks fail.
    – Once idle ≥6 h, it wipes Windows Volume Shadow Copy AND deletes NTFS Change Journal (fsutil usn deletejournal /d C:), so VSS recovery is impossible.
    – Crypto-ransom note is Read_Data.txt placed beside each encrypted file plus a prominent desktop wallpaper (C:\Users\Public\Pictures\wall_warn.jpg).

  • Wider impact
    – Average ransom: USD 680-980 k (lower mid-tier actors aiming for “quick win”).
    – 2 hospitals in Poland and a Dutch MSP disclosed temporary downtime; HIPAA notifications pending.
    – Re-use of recovered license plate numbers for the ransom wallet (“UQCx3…”) suggests the same cell behind 2023 ArcaneLocker is now behind BK, implying skill overlap and rapid toolkit evolution.

Key takeaway: Backup architecture has to be immutable and replicated off-premise; everything else can be rebuilt but data cannot be.