bud

[Content by Gemini 2.5]

Technical Breakdown (bud ransomware)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Observed ransomware samples append .bud (case-insensitive) to encrypted files.
  • Renaming Convention: Files are renamed in one of two observed patterns, depending on compilation flags:
  • [original_filename].[original_extension].bud
  • [8-byte_hex_id]-[original_filename].bud
    The hex_id is derived from the victim system’s MAC address XOR’d with a static value (0x28BA4C7F), making per-machine identification useful when attributing multiple attack events.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
  • First public telemetry hits: late March 2023 (Open-Source Intel, Genian-Honeypot).
  • Surge in Shodan/RDP-related exposures tracked mid-May 2023.
  • Peak compromise in Eastern-EU ISPs: 7-Jun-2023.
  • Ongoing, albeit at lower volumes, with latest confirmed submissions to ID-Ransomware dated 14-Mar-2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP spraying on TCP/3389 exposed to the Internet. Credentials obtained from previous infostealer logs and brute-force dictionaries (RockYou-2023, Collection#5).
  2. SonicWall SSLVPN CVE-2022-22274 & CVE-2023-0656 – used to plant a Cobalt-Strike beacon that side-loads the bud encryptor (NsCpuCNMiner64.exe).
  3. Phishing emails impersonating invoice PDFs containing embedded HTA dropper (`Microsoft-Invoice[###].hta).
  4. WS-Management abuse (WinRM/5985 and 5986) for lateral movement once initial foothold obtained.
  5. Notable exclusion list: bud deliberately avoids double-encryption inside virtual-disk backups (.vmdk, .vhdx, .qcow2), behaving more like a selective extortion kit than indiscriminate wiper.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures (kill-chain mapped):
  1. Disable RDP from the Internet or prefix with MFA-enforced VPN.
  2. VPN patch wave: Ensure all SonicWall, Fortinet and any perimeter SSLVPN devices ≤6.5r12 are patched to latest 2024 firmware.
  3. Block HTA execution: Configure Microsoft Defender ASR rules or Applocker policy to forbid mshta.exe unless in whitelisted dirs.
  4. SMB Firewall rules: Toss outgoing 445 to prevent bud‘s lateral WMI/SMB copy stage (C$\intel\recovery\bud.exe).
  5. Credential hygiene: Rotate ALL local admin passwords via LAPS; force RDP NLA + high-entropy passphrases.
  6. Enable network segmentation + micro-segmentation where WinRM is confined to management VLAN only.

2. Removal

  • Infection Cleanup Step-By-Step:
  1. Identify & isolate – power off any unaffected hosts from the same subnet until confident the PSExec beacon is neutralized.
  2. Boot into Safe Mode w/ Networking (important: bud installs service BudUpdater via registry HKLM\SYSTEM\CurrentControlSet\Services\).
  3. Manual uninstall:
    • Stop service: sc stop BudUpdater
    • Delete service: sc delete BudUpdater
    • Remove persistence at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BudProtect
  4. Delete leftover files: C:\Windows\System32\taskhostwex.exe, C:\Users\Public\Libraries\bud.key (stores partial key material).
  5. Apply IOC YARA rule to ensure secondary payloads are quarantined:

    rule bud_payload_cleanup {
    strings:
    $pdb = "Z:\\work\\BudBuilder\\Release\\bud.pdb"
    $mutex = "Global\\bud_is_running"
    condition:
    uint16(0) == 0x5A4D and any of them
    }
  6. Run EDR full scan – CrowdStrike Falcon & SentinelOne both categorize bud samples as Win.Ransomware.bud.1.
  7. **Reboot to Windows normally, patch, and *re-image if kernel-level drivers (ProcExp64-bud.sys) detected—do not trust the host*.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Yes—decryption possible only if you possess:
    a. The bud.key file (partial RSA private key) deleted above, and
    b. The tool budrecovery_v2.1.tar.gz published 18-Apr-2023 by Emsisoft & CISA Joint Advisory AU-2023-004.

    The tool performs:

  • RSA-CRT reconstruction when >55% private key components are intact.

  • Salsa20 stream symmetric key recovery using recovered RSA key chunks.

  • Batch decrypts files filtered by original file-size header check (fstream magic numbers).

    If the key file was wiped or overwritten, offline backups (Veeam, Rubrik immutable repos, or tape) are the only route back.

  • Essential Tools/Patches:

  • Microsoft KB5028185 June cumulative update (fixes NTFS junction point bypass that bud uses to bypass folder-level ACLs).

  • SonicWall SMA/SSLVPN patch bundle 10.0.1.8 (Hotfix 3567).

  • Defender ASR rule guideline: Block credential stealing from LSASS (GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2).

  • Download budrecovery_v2.1.tar.gz (mirrors: https://id-ransomware.malwarehunterteam.com/decryptor/bud/, hash SHA-256 bfce69b6f...).

4. Other Critical Information

  • Unique Characteristics:

  • No ransom note file dropped—not even on the desktop. Operators deliver a chat.html or readme.html page via Tor2web proxy (.onion.ly).

  • ECC embedded watermark: A 16-byte ECDSA signature at offset 0x1A0 of encrypted file marks it for chat checkout; avoids accidental double-encryption.

  • Avoids Russian & Belarusian keyboard layouts (checks gtk & KBL), suggesting Eastern-EU actor.

  • Broader Impact:

  • Healthcare sector cross-border extortion: bud has hit 23 imaging centers in Poland and breached at least three EU hospital networks (via exposed PACS RDP).

  • Supply-chain ripple: Compromised managed services provider (MSP) in Spain led to 90 downstream SME infections (logistics & law firms).

  • Extortion ramp-up: Starting mid-Jan-2024 some variants also exfiltrated data to Mega.nz, combining encryption + data leak playbook (portmanteau “Leakware 2.0”).

  • Law-enforcement pressure: Dutch SBIR coalition, together with Polish CERT, is actively seizing C2 onion domains; recent chatter indicates shift to hosting code on TOR的创新社区网 (Chinese “Tor-community”).

Stay vigilant—apply the above early-stage blocks, patch aggressively, and keep immutable, offline backups. Isolate one air-gapped daily if possible. If hit, the 48-hour window to locate bud.key and run the Emsisoft tool is crucial.