boop

[Content by Gemini 2.5]

Ransomware Variant Deep-Dive: “.boop” (STOP/DJVU family)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file gets the literal suffix .boop appended to its original name.
  • Renaming Convention:
    OriginalName.extOriginalName.ext.boop (with no further pattern changes).
    Example: Q4-Budget.xlsx becomes Q4-Budget.xlsx.boop.

2. Detection & Outbreak Timeline

  • First Public Sighting: Mid-January 2020 (early reports from victims on BleepingComputer).
  • Peak Activity Windows:
    – Jan 2020 (initial wave leveraging malvertising)
    – June–August 2020 (resurgence via cracked-software bundles)
  • Current Status: Still circulating but superseded by newer Djvu sub-variants (*.reig, *.rss, etc.). Distribution continues primarily via SEO-poisoned keygen/crack sites.

3. Primary Attack Vectors

  • Malicious Browser Ads (“Rig/GrandSoft malvertising pipeline”)
    Users searching for cracked software encounter false download buttons; drive-by downloads either the ransomware dropper (.exe) or backdoors that deliver BOOP seconds later.
  • Cracked Software & Key Generators
    Fake KMS activators, pirated games, and Adobe cracks hosted on file-sharing forums have executable installers that silently run ISB2.exe (the Djvu loader) → BOOP payload.
  • Rigged Email Attachments (comma elision rules in JS attachments)
    While less common than cracks/emails, zipped JS files occasionally hit SMB-user mailing lists.
  • EternalBlue / SMBv1 Not Exposed
    BOOP does not use network lateral exploits; all infections start with user interaction on an affected host.

Remediation & Recovery

1. Prevention

  1. Ban SMBv1 company-wide and patch operating systems monthly (WSUS/Intune).
  2. Application whitelisting (WDA/WDAC) on assets that do not need cracked software.
  3. Comprehensive email filtering that detonates .js, .vbs, .wsf, .hta attachments in a sandbox.
  4. Group Policy to disable wmic.exe and powershell.exe execution from %temp%.
  5. User-level mitigations: deny local administrative privileges for daily users, enable controlled folder access (Windows Defender + Ransomware Protection).

2. Removal (Clean-Up Walk-through)

  1. **Disconnect from network *immediately* to stop last-second encryption.**
  2. Boot into Safe Mode with Networking.
  3. Identify & kill the following living-off-the-land binaries:
    %LocalAppData%\[random]\[random].exe (main process)
    updatewin.exe, build.exe (second-stage downloader)
  4. Delete persistence keys:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ➝ value referencing the 5-letter process above.
  5. Run a reputable AV/EDR rescue disk (Malwarebytes or ESET SysRescue) for full scan.
  6. Remove any scheduled tasks (schtasks /delete /TN “SystemUpdateService” /F).
  7. Patch every software stack fully (OS, Adobe, Java, 7-Zip, etc.) to prevent reinfection via cracked-software updates.

3. File Decryption & Recovery

  • Can files be decrypted?
    Yes—but only IF the encryption used the offline key and your C2 captured ID finishes in “t1”-style suffix. The offline key (public key id 343055664yqRUiM7ujv3QiCKgE) is now public and stable.
  • Offline-Key Decryptor (free)
    – Tool: Emsisoft STOP/DJVU Decryptor (verified build 1.0.0.7 from 2024-02-14).
    – Grab PersonalID.txt the ransomware drops on Desktop, run Emsisoft’s tool, click Validate Keyfile, then Decrypt.
  • For Online-Key infections (.boop IDs starting with random characters, no “t1”)
    Decryption is NOT feasible. Fall back to backups, volume-shadow copies, or file-recovery tools:
    1. ShadowExplorer or vssadmin list shadows → copy older versions from shadow storage.
    2. PhotoRec or R-Studio to carve non-contiguous but still encrypted data.
  • Essential Patches/Tools:
    – KB44935xx series (Windows 8.1/Server 2012 R2 security cumulative).
    – Bitwarden/KeePass to replace pirated software activation cycles → removes infection vector.

4. Other Critical Information

  • Unique Behavior Flags:
    – Drops readme.txt ransom notes in every folder with working link [email protected].
    – Appends victim machine GUID to a public Telegram bot for “customer support.”
    – Installs AZORult stealer seconds before encryption → assume creds are already exfiltrated; force reset every password along the “credential chain.”
  • Broader Impact:
    – Due to its association with cracked software, SOHO & students remain top victims; in 2020 alone educational torrent trackers saw a 350 % spike in BOOP-tagged torrents.
    – Ties to MoneyPak/scam call-center ecosystem: some README files push the victim toward fake remote-support “technicians” who demand prepaid-cards for “discount” decryption.

Bottom Line:
.boop acts like other STOP/Djvu strains—encrypt fast, scold with readme.txt, and pair with a credential-stealer. For offline-key victims, the free Emsisoft decryptor is a genuine lifeline; everyone else should treat it as a wake-up call to enforce off-site, versioned backups and abolish pirated software.