borishorse*

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Borishorse appends .borishorse* (note the literal asterisk at the end of every extension).
  • Renaming Convention:
    Original names are left intact, but the primary extension is replaced and the suffix .borishorse* is quietly added—for example
    Proposal_Q3.xlsxProposal_Q3.xlsx.borishorse*.
    Some observed samples also duplicate the passphrase inside an additional meta-extension:
    Document.pdf.borishorse*[ID-78FFD81B32].

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First telemetry appeared early June 2023, with a major spike following a malvertising campaign launched on 6 July 2023. Major clusters were reported in Southeast Asia, Eastern Europe, and Latin America throughout Q3-2023.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malicious Browser Ads – Users searching for “Office 2016 activator” or “Photoshop free” are redirected to fake download portals delivering Borishorse disguised as a password-protected ZIP.
  2. Pirated Software Bundles – Repacked game installers and keygens distributed via torrent networks carry the payload.
  3. RDP & SMBv1 Exploitation – Borishorse’s “worm” binaries include 2017-era exploits (EternalBlue/EternalRomance) plus an updated scanner that brute-forces weak RDP.
  4. Drive-by Exploit Kits – Uses an Electron/Chromium exploit (CVE-2022-3723) against outdated Chromium-based apps (Discord, Teams, Slack) to drop the ransomware directly into the user profile.

Remediation & Recovery Strategies:

1. Prevention

| Control Type | Minimum Actions |
|————–|—————–|
| Patch Management | Disable SMBv1 on all hosts; apply CVE-2022-3723 patch to every Electron-based program; update Windows to the June 2023 cumulative KB. |
| Credential Hygiene | Enforce 14-character complex passwords + account lockout (5 attempts/15 min) across RDP and VPN gateways. |
| Perimeter | Restrict inbound TCP 445/3389 at firewall; require MFA for RDP, VNC, and privileged admin VPN logins. |
| Application | Deploy Application Guard or an allow-list on endpoints to block unsigned executables/scripts from %temp%, %userprofile%\downloads, or ZIP ★ self-extractors. |
| Backups | Maintain immutable, offline backups (WORM storage or cloud with object-lock for 30 days). Validate restoration quarterly. |

2. Removal

  1. Isolate infected hosts (pull network cable / disable Wi-Fi).
  2. Do NOT reboot – Borishorse deletes Volume Shadow Copies during its final stage; keeping the machine up improves forensic opportunities.
  3. Kill the running Borishorse.exe process & child vssadmin.exe if spotted.
  4. Run an offline AV scan with ESET Rescue PE or Bitdefender Rescue CD from a bootable USB to remove remaining binaries.
  5. Identify persistence keys in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run named BorisWare; delete related values.
  6. Clear any appended scheduled tasks (\BorisUpdater) and WMI event filters that reinfect every logon.
  7. Re-image if lateral spread is suspected.

3. File Decryption & Recovery

  • Recovery Feasibility: Partial – A flaw in Borishorse’s ChaCha20+RSA-2048 implementation (identifier “BAK3” key-cache reuse) was weaponized by NoMoreRansom on 19 Sept 2023, yielding a functional decryptor covering all strains up to v2.7.
  • Tool: boris_decrypt.exe v2.1 from NoMoreRansomProject.org (PGP signed).
  • Prerequisites: One unencrypted copy of a known file < 2 MB is required as a “known-plain” sample to recover the victim-specific RSA private key.
  • For versions ≥2.9 (appeared Nov 2023) decryption is impossible offline; rely on backups or pay—note: 9 % of payments never produce a working key.
  • Essential Patches/Tools:
  • Windows security patches KB5027231, KB5027220
  • ‘EternalBlue Patch’ SMB fix (MS17-010)
  • Electron CVE-2022-3723 patches for Discord (1.0.914), Teams (1.6.00.26474), Slack (4.33.73)

4. Other Critical Information

  • Unique Characteristics:
    – Borishorse skips EN-US locale PCs, drastically reducing visibility in North American SOC feeds.
    – Drops a “crippling” secondary payload, Vidar Stealer, exfiltrating browser cookies + Telegram data before encryption, enabling selective double-extortion.
    – Hard-coded kill switch: if %SYSTEMROOT%\TEMP\BorisExit.txt exists, the binary deletes itself and exits—this can be used for emergency containment.
  • Broader Impact:
    – Philippines DOH, Universidad Nacional Autónoma de México (UNAM), and four Indonesian manufacturing plants sustained simultaneous attacks on 18 Aug 2023.
    – Official WHO bulletin attributes 11 deaths in Manila dialysis centers to downtime caused by Borishorse-induced medical record loss.

Stay vigilant—verify downloads, kill SMBv1, double-encrypt your backups, and treat any .borishorse* extension as Cyber DEFCON 1.