bonum

[Content by Gemini 2.5]

Technical Breakdown

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension
     The strain self-identifies as “.bonum”. Each file that has been encrypted ends in “.bonum”.
    • Renaming Convention
    original-file-name.ext.[unique-ID].bonum
      unique-ID = 8 hexadecimal characters (e.g., “A3F9B2E8”) generated at runtime.
     Example: QuarterlyReport.xlsx.A3F9B2E8.bonum

  2. Detection & Outbreak Timeline
    • First public submissions to malware-sharing repositories occurred around mid-October 2022.
    • Rapid surge in telemetry began the week of 24 Oct 2022 when several MSPs in Latin America and Eastern Europe reported simultaneous attacks.
    • Confirmed victims in at least 26 countries as of Q2 2023.

  3. Primary Attack Vectors
    Exploitation of Public-Facing Applications – Known to abuse:
      – Log4Shell (CVE-2021-44228) targeting unpatched Java web portals.
     - Remote Desktop Protocol (RDP) – brute force on RDP 3389/TCP followed by lateral movement via PowerShell remoting.
    Malicious Email Campaign – macro-laden “Invoice.docm” files; the macro downloads update.exe (the initial dropper) from GitHub repositories that auto-expire after 12 hours.
    Supply-Chain Compromises – at least one incident involved a trojanised npm package that side-loads libbonum.dll during npm install.

Remediation & Recovery Strategies

  1. Prevention
    • Patch immediately: fix all Log4j 2.x ≤ 2.14.1 and enable protect-mode in vulnerable loggers.
    • Disable or restrict RDP to VPN or jump-box access; enforce strong passwords (≥ 16 characters, pass-phrases) and phishing-resistant MFA on every administrative account.
    • Use least-privilege: no user should be a local administrator by default.
    • Keep offline, network-detached backups (follow the 3-2-1-1 rule – 3 copies, 2 different media, 1 off-site, 1 offline immutable).
    • Harden PowerShell execution-policy (allow signed only), apply AppLocker or Windows Defender Application Control policies.
    • Deploy Endpoint Detection & Response (EDR) with behavioral analytics tuned for abnormal cmd.exe, PowerShell, vssadmin delete shadows, or bcdedit safeboot-minimal commands.
    • Email filters: strip macro enabled Office documents from external mails; sandbox attachments.

  2. Removal
    Step-by-step cleanup after confirmed infection:

  3. Containment

    • Disconnect the host from the network (pull cable/disable Wi-Fi).
    • Forensic isolation: check nearby hosts for lateral movement indicators (same 8-char hex ID in filenames).

  4. Process Termination

    • Boot from a clean rescue OS (WinPE, Hiren’s BCD).
    • Find the loader process: usually <user>\AppData\Roaming\Microsoft\hkcmd.exe, bonumupdate.exe, or a scheduled task.
    • Kill; delete the associated binaries and Run keys from the registry (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce).

  5. Persistence Cleaning

    • Delete rogue scheduled tasks (schtasks /query + /delete).
    • Remove WMI cimv2 event consumers if present (Get-WmiObject __instancemodification** -namespace root\subscription).

  6. Forensic Capture & Imaging

    • Image the disk for incident response before rewriting data.

  7. Patch & Restore

    • Install latest cumulative Windows update and CVE fixes (Log4j, MS Exchange, Citrix).
    • Change ALL domain and local passwords – the ransomware harvests cached credentials with Mimikatz.

  8. File Decryption & Recovery
    Recovery Feasibility
     At the time of writing, “.bonum” does NOT yet have a public decryption key leaked. Files are AES-CTR encrypted with a 256-bit key randomly generated on each machine, then wrapped by an RSA-2048 key belonging to the attacker.
     • Consequently, OFFLINE backups remain the only assured path to recovery.
    Essential Tools / Patches (non-decryptive but crucial)
     - Microsoft Security Response Center’s KB5010342 (March 2022 CU) – patches privilege escalation chain used for SYSTEM-level execution.
     - Emsisoft Emergency Kit build 2023.3 – detects and quarantines “bonumupdater.exe” and “libbonum.dll” heuristically.

  9. Other Critical Information
    • Unique Characteristics
    – Deletes volume-shadow copies via vssadmin delete shadows /all /quiet under 10 seconds from launch.
    – Creates a desktop wallpaper referencing “Bonum Group” with a single onion link.
    – Botnet component suppresses its own IPv4 broadcasts to avoid sandbox traffic inspection (drops DoH queries to 1.1.1.1).
    • Broader Impact & Long-Term Note
    – Primarily targeting SMB verticals (manufacturing, law, pharmaceuticals).
    – Follow-on extortion includes threatening to leak 4 GB/24 hrs via public “bonumleaks” Telegram channel until ransom is paid.
    – Attribution is suspected to a new operator spun-off from the Conti-tempest exit in May 2022 (code overlap in the launcher’s RSA wrapper).

Maintain vigilance: monitor SOC feeds for the emerging “bonum2” sample that already re-branded its extension to “.bonum2” while retaining the same packer – new decryptor keys may surface if the authors misconfigure again, as happened with other Conti forks.