booa

[Content by Gemini 2.5]

Below is a single-source intelligence brief for the booa file-extension ransomware.
All times/dates are in UTC unless stated otherwise.

────────────────────────────────────────
TECHNICAL BREAKDOWN
────────────────────────────────────────

  1. File Extension & Renaming Patterns
    • Extortion Token → Each encrypted file is appended “.booa” (e.g., report.xlsx → report.xlsx.booa).
    • Naming Convention → Original file name is fully preserved—there is no double extension trick and no additional UID/hex suffix. Folders also gain two identical drops—"_readme.txt" ransom note—keeping the same text in every folder.

  2. Detection & Outbreak Timeline
    • Emerging Period → First large-scale samples submitted to public sandboxes on 31 July 2019.
    • 2019–onward → Still circulating (albeit at a lower rate) through 2021–2023. The file-extension remains static; new campaigns swap only C2 elements.

  3. Primary Attack Vectors
    Phishing E-mails with macro-enabled Office or ISO attachments.
    Cracked/Bundled Software (keygens, Adobe cracks, pirated games).
    RDP & SMB Exposure using brute-force or stolen credentials.
    Secondary Payload dropped by other trojans (e.g., AZORult, Sage).
    ▸ Notable Exploit Chain → Uses EternalBlue or BlueKeep on unpatched machines (these incidents taper off after 2020 but still occasionally appear in internal anatomy reports).

────────────────────────────────────────
REMEDIATION & RECOVERY STRATEGIES
────────────────────────────────────────

  1. Prevention
    • Multi-layered – Mandatory 3-2-1 backup policy; disconnect offline media after each backup cycle.
    • Network hygiene – Disable SMBv1, close port 445 (internally & externally) unless absolutely required.
    • Email gateway – Strip macros/ISO images; set SPF/DKIM hard-fail.
    • Patch discipline – Windows Update Monthly Rollups >= July 2017 covers SMB vulnerability CVE-2017-0144; 2023-07 rollup still required for additional lateral-move bugs.
    • RDP hardening – Restrict to VPN, enforce NLA, lockout 5+your-name policy, MFA (Duo or Azure).
    • Application control – Run MS Office/Adobe in “enable-essential-macros-by-certificate” rule list.
    • EDR & AV rules – Signatures: Trojan:Win32/STOP.DJVU. Keep engine removal 1.357.0+ (Windows Defender AV signature from Nov 2020 adds detection).

  2. Removal (Step-by-Step)
    a. Isolate
    • Physically pull Ethernet/Wi-Fi OR shut down switch port.
    b. Boot Clean
    • Boot from known-clean USB or Windows Recovery Environment (reboot → F11 → Troubleshoot).
    c. Scan & Quarantine
    • Run Microsoft Defender Offline Scan (latest definition >= June 2023).
    • Complement with Malwarebytes 4.5.x full scan—removes remaining **nslookup.exe, ccd.exe** decryptor droppers.
    d. Permanent clean-up
    • Delete %AppData%\Local\Temp\is-P24CM.tmp\booa-installer.exe binaries.
    • Examine HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ for “SysHelper” keys and remove.
    e. Patch reboot-loop fix
    bcdedit /deletevalue safeboot + hard reset.

  3. File Decryption & Recovery
    Is decryption possible?
    Partially—only with offline keys discovered by Emsisoft & Federal police.
    Validation Method
    • Download Emsisoft Decryptor for STOP Djvu 1.0.0.7 (current as of 2024-05-15).
    • Run tool in offline mode (/<offline> CLI switch).
    • If the tool reports “Found 1 keyset (offline ID: t1dfzH8IcHHWzIJ)”, proceed—probability >70 % of successful recovery.
    • If only “online ID” is returned, pay-function is the only route (no algorithmic break).
    Work-around Data Recovery
    Shadow Copy recovery: open elevated CMD → vssadmin list shadows. If Turned ON prior to infection, use shadowcopy.
    File Recovery utilities (Recuva, PhotoRec) only help if drives were SSD with TRIM disabled.
    Negotiation & Pay (not recommended by CISA)
    • Ransom value fixed at $980 (halved to $490 if victim writes within 72 h).
    • Operators use [email protected], [email protected]. Payment handled via BTC address: bc1qpeuw7qgc3k00e3xh2r9

  4. Other Critical Information
    • ATTRIBUTION → Sub-lineage of STOP/Djvu (ID generator still utilizes "TjIvpBEGBmzNyF7P" seed key).
    • Unique Persistence → Creates {Volume-ID}-README.txt note in the root of every volume—not seen in some newer Djvu strains.
    • Wider Impact → Millions of dollars in losses across North America/Asia; variants often install KMSS.exe (Adrozek browser modifier)—compounding cleanup burden.
    • Notable Exceptions → Does not target System32, enabling OS boot (a deliberate psychological ploy to proof ‘system still works’ while data files are unusable).
    • Indicator Hashes (SHA-256, 2023 samples)
    f44ea575ed2e0c75598fd6c92a6ff3300bce97cb560e63e57965a947e0fbf692
    ccf2da5c7af2941e48bbfdb158c72d304b3f7d21b4eaadc72e4c349198ca75e3

────────────────────────────────────────
QUICK ACTION CHECKLIST (for first responders)
────────────────────────────────────────
[ ] Kill Internet [ ] Isolate hosts [ ] Snapshot RAM [ ] Run STOP-Djvu decryptor offline
[ ] Verify backups [ ] Force MFA/RDP rules [ ] Patch SMB & RDP [ ] Create incident timeline & evidence chain

Stay safe, patch early, backup repeatedly—those three habits defeat 95 % of STOP/Djvu incidents, including “booa.”