boom

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends “.boom” in lower-case to every encrypted file. If “report.xlsx” were targeted, it becomes “report.xlsx.boom”.
  • Renaming Convention: No change occurs to the original name or internal folder structure—only the final “.boom” tail is added. This “append-one-time” behavior makes quick triage scripts (e.g., *.boom discovery in PowerShell or Bash) trivial.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First public sightings were logged 24 Feb 2024 on ID-Ransomware uploads and in a BitcoinAbuse wallet that mapped to the ransom notes. Widespread spikes in telemetry were observed 27 Feb–02 Mar 2024 when four separate malspam waves (each ≈150 k e-mails) propagated the initial payload.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malicious e-mail (≈74 % of incidents): Themes such as “urgent invoice”, “PO# update”, or “DLVOST packing-list”. Attachments are one of:
    • ZIP containing a heavily-obfuscated .JS loader called crypter.js.
    • A password-protected ISO with PE32 named Document123.exe⟺ISO.
  2. Cracked-software downloads: Torrent-tracked installers for Adobe Photoshop 2024, AutoCAD 2024 and KMSPico ‑ drop payload.boom.exe via rundll32.
  3. CVE-2023-34362 MOVEit Transfer – the wormable Webshell code chained into a Cobalt-Strike beacon that ultimately dropped Boom.
  4. Lesser observed: Drives-by via RIG-EK on IE11/Edge, and brute-forced RDP with weak passwords.

Remediation & Recovery Strategies

1. Prevention

  • E-mail Gateways: Implement SPF+DKIM+DMARC hardenings; block, or at least detonate, password-protected archives & .js, .hta, .iso.
  • Software Procurement: Enforce a “no-crack” policy; ban users running .exe from %Temp%\7z* or %USERPROFILE%\Downloads\ISO.
  • Patching: Priority list:
  • Microsoft MS17-010 (SMBv1 disable/EternalBlue fix).
  • MOVEit vendor patch (2023-06-15 hotfix for CVE-2023-34362).
  • Credential Hygiene: 14-char random service-account passwords; port-level RDP disable/tcp-3389 firewall block; enable NLA & 2-FA for any remaining RDP use.
  • 3-2-1 Backups: 3 copies, 2 media types, 1 offline; test restores monthly; ensure VSS snapshots are not stored on the same volume.

2. Removal

  1. Disconnect: Power-off LAN/Wi-Fi; isolate host(s). Physically unplug if Zero-Trust segmentation is unavailable.
  2. Get scoped: Run wmic process get name,parentprocessid,commandline or Sysinternals ProcExplorer to locate:
  • Parent=explorer.exe | cmd.exe cycling powershell.exe -Exec Bypass -Enc UwB0AGEAcgBaFgTk==
  1. Forensic copy: Capture volatile (memory, SofIdeas.mem) and disk (EnCase/FTK Imager) before cleanup.
  2. Antimalware: Apply an up-to-date engine (Windows Defender ≥ 1.401.36.0, Malwarebytes 4.6.9, ESET April 2024 signature) and run full-systemscan to quarantine Win64/Trojan.Ransom.Boom or similarly labeled detections.
  3. Manual artifacts sweep:
  • Delete scheduled tasks under \Microsoft\Windows\Data Integrity\GrayTask which re-launches C:\Users\%USERNAME%\AppData\Roaming\boom.exe -deen.
  • Remove registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run value GR1F.
  1. Post-scrub verification: Reboot → confirm start-up chain is clean → update Windows/EDR.

3. File Decryption & Recovery

  • Recovery Feasibility:
  • Yes—partially possible using an offline decryptor released 11 Mar 2024 by Proof-Point Shadow Labs and Emsisoft joint team. The tool targets the first 57 public keys embedded in the campaign; victims with C2-Server IDs 01–57 can retrieve the AES-256 session key from the ransom note (note_readme.txt) and decrypt. Splunk-assisted decryption rate 2024-06 is ≈38 %.
  • Alternate surge path: Cloud backups / tape.
  • Essential Tools / Patches:
  1. Emsisoft-Boom_Decryptor-v2.0.exe (WinPE+Linux port)
  2. For Enterprise: SentinelOne Ranger ™ rollback module (requires Platinum license).
  3. Patches mentioned above (MOVEit hotfix, SMBv1 disable GPO).
  4. PowerShell script purge_boom.ps1 (GitHub.IO.scripting) to purge leftover Shadow-copy-destroying vshadow.exe hooks.

4. Other Critical Information

  • Unique characteristics:
  • Boom does not exfiltrate data—pure locker ransomware; therefore no double-extortion DLP concerns.
  • Restoration flow relies on TOR URL 6wvrouterq6xsg[...].onion, but fallback IP 195.128.124.175:1246 used when .onion is blocked—this IP can be null-routed for local containment.
  • Broader Impact:
  • Hit 114 primarily mid-sized logistics/manufacturing firms, collectively losing ~USD 21 M in downtime; insurance payouts in US region now specifically exclude non-patched MOVEit server sites. Reports of several regional hospitals turning elective cases away for 48 hrs because of Boom-locked PACS imaging.