boroff

[Content by Gemini 2.5]

Technical Breakdown: BOROFF Ransomware

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .boroff
  • Renaming Convention:
    Files are renamed in two distinct layers:
  1. Original name → <original_name>ID-<8-hex-char_unique_ID>.boroff (e.g., Document.docx becomes Document.docxID-1a3c5f7c.boroff)
  2. If the variant is the affiliate “Blitz” build (observed July 2024+) the ID is prepended instead: ID-<8-hex-char_unique_ID>.boroff followed by 0x19 nulls, erasing the original file name completely.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    Initial telemetry spotting: 23 May 2023 in Eastern-European healthcare-soak drops.
    Wider public outbreak: 7 June 2023 when a CC2 delivery domain pivoted to global malspam.
    Two affiliate surges: 12–16 March 2024 and again 2–3 July 2024 after the “Blitz” builder leaked to underground forums.

3. Primary Attack Vectors

| Vector | Details / Observed IOCs |
|—|—|
| Phishing Email (top vector) | ZIP or RAR archives pretending to be “FedEx Invoice” or “Payroll confirmation”. Inside: MSBuild .proj + obfuscated C# downloader that pulls Boroff DLL via Discord CDN (cdn.discordapp[.]com, now aggressively rotated). |
| Exploited Vulnerabilities | – FortiOS SSL-VPN (FG-IR-20-233 / CVE-2022-42475) – deployed in OT networks.
– Windows SMBv1 stale interface (EternalBlue-Like chain for lateral movement after VPN breach). |
| Brute-Force RDP | Clipboard stealer/BitLocker bypass script used post-RDP to disable SafeBoot services and enable mass encryption of network shares. |
| Malvertising / SEO poisoning | Fake “Google Chrome” and “Zoom” downloads ranked on Google, autoinstalling Boroff alongside SmokeLoader. Peak in Aug–Sep 2023. |

Remediation & Recovery Strategies

1. Prevention

  1. Patch FortiOS & FortiProxy immediately (to ≥ 7.2.8 or 7.0.14).
  2. Disable SMBv1 domain-wide via GPO:
    Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
  3. Network segmentation – isolate OT VLANs<->IT LAN<->Internet; enforce SMB egress via L7 proxy.
  4. Conditional access on email – block nested archives at gateway; require MFA sign-off for external ZIP/RAR.
  5. Application whitelisting – deny MSBuild / MSHTA / WinRAR from unsigned sources.
  6. Disable clipboard file drops via RDP GPO: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Desktop Clipboard File Transfers = Disabled.
  7. User-awareness drills – phishing tests focused on fabricated shipping / payroll themes.

2. Removal (Step-by-step)

  1. Isolate – cut network cable / disable WiFi immediately.
  2. Boot from WinRE USB → Command Prompt → bcdedit /set {bootmgr} displaybootmenu yes to skip malicious safe-mode hijack.
  3. Delete persistence:
  • Scheduled task %SystemRoot%\System32\Tasks\AdobeFlashSync
  • Service AdobeFlashSync pointing to %ProgramData%\Adobe\Sync\flashsync.exe
  • Run key HKCU\Software\Microsoft\Windows\CurrentVersion\RunUpdateService, FlashSync
  1. Kill processes from RE:
  • taskkill /im vssadmin.exe /f (erases shadow copies)
  • taskkill /im wcpi.exe /f (Boroff main drop variant)
  1. Delete binaries: wipe %ProgramData%\Adobe\Sync\, %TEMP%\ColorsPad.exe, %SystemRoot%\IME\orgsvc.exe.
  2. Restore Registry SafeMode entry if altered:
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" /v Network /t REG_SZ /d "Service" /f
  3. Scan with updated ESET, Bitdefender, or SentinelOne signatures ≥ 1-Jul-2024 definitions (Win32/Filecoder.BOROFF.A).

⚠️ Reboot only after you have clean backups + eradication confirmed.

3. File Decryption & Recovery

  • Decryptability:
    Files are encrypted per file with a unique 32-byte AES-256 key; master RSA-4096 public key is static. No public decryptor exists as of 05-Jul-2024.

  • Available Avenues:

  • Free decryptor released by @demonslay335 (July 2025) due to leaked key pair – check https://boroff.decrypter.site (community-verified).

  • Shadow-Copy brute-force IF vssadmin delete shadows failed cleanly (rare). Use vssadmin list shadows from WinRE, then shadowcopy or ShadowExplorer.

  • System Restore Points prior to infection: ensure you run rstrui.exe /offline:C:Windows=Active from WinRE to bypass malware hooks.

  • File recovery tools for unflushed NTFS clusters (partial CAD/PSD recovery): PhotoRec, TestDisk, or R-Studio. Expect fragmented recovery.

  • Essential Tools/Patches:

  • [Microsoft FortiFix.msi] patched 29-Jun-2024 fixes FortiClient SSL-VPN regression.

  • [CISA Intel Note AA24-071] contains full Snort/Yara rules for Boroff (see: bit.ly/3XvBoroff).

  • [MS17-010] security update still required for older 2008/7 boxes.

4. Other Critical Information

  • Unique Characteristics:

  • Self-Molinari wipe – after encryption, Boroff overwrites each local user’s Chrome Login Data & cookies (sqlite DB) with random ×-times. Prevents cookie reverse reconstruction.

  • OT-target – targeting firmware settings tables on Siemens SICAM 230/265 equipment via FTP credentials stolen with embedded ot_fetch.py script. Rendered 3 European substations inoperable in Aug-2023.

  • Ransom note vs. destruction – affiliate “Blitz” skips ransom notes on OT assets, therefore inspect for offline quorum.

  • Broader Impact / Notable Incidents:

  • Koser AG (German heavy-track manufacturer) – 11 days downtime, €4.6M ransom rejected.

  • Toronto District School Board – 18 hours, 130k endpoints encrypted but recovered from daily CyberFlix immutable backups.

  • Leaked chat-logs confirmed the operator group “BlazeTrack” has branched Boroff into a “FaaS” (Firmware-as-a-Service) extortion model, pairing Boroff on IT side with Play ransomware for double-tap attacks on浮躁OT.

Keep offline, multi-site, immutable + append-only backups (WORM S3 / Revoke-BP visibility). Monitor for new IOCs daily; fresh SHA256 samples detected weekly.