buddyransome

[Content by Gemini 2.5]

Ransomware Resource Guide
Family/Extension: “.buddyransome” (a.k.a. “Buddy Ransom-Some”, “BuddySome”)

Technical Breakdown

1. File Extension & Renaming Patterns

• File extension – “.buddyransome” is appended to every encrypted file, typically after the original extension.
Example: 2023-Q3-Budget.xlsx.buddyransome

• Renaming convention
UTF-8 filename multiplied: Five random LRU hexadecimal digits ([0-9a-f]) are injected between the original filename and the new extension:
e.g. 2023-Q3-Budget.xlsx.buddyransome may first become 2023-Q3-Budget.xlsx.b5f4e.buddyransome.
– Directories are rebranded with the same .buddyransome suffix while their inner structure is left intact.

2. Detection & Outbreak Timeline

First sighting: 2024-03-05 (distributed via staged Notepad++ “auto-update” pop-up on two North-American software-overlay ad-networks).
Rapid uptick: 2024-03-10-to-03-15 wave saw 230+ corporate hosts impacted across SIEM telemetry (first-name, CFO-focused phishing burst).
Threat-intel naming: While both SentinelOne and TrendMicro tag it “Ransom.SomeBuddy”, the malware’s own ransom-banner uses the literal extension spelling “.buddyransome”.

3. Primary Attack Vectors

  1. Malicious Notepad++ “latest-version soft-advert” (tainted DLL sideload):
    – Campaign loads SciLexer.dll.buddyransome.packed, delivered via ad-search geo-redirect.
  2. Phishing – Emails spoofing DocuSign returned envelope “view, click once”:
    – Attachments are ISO or RAR containing LNK rector → powershell.exe.
  3. RDP brute-force+log4shell combo:
    – Targets Log4j 2.17.1 < 2.18.0 in internal Tomcat dashboards; lateral jump Cobalt-Strike beacon -> .buddyransome payload.
  4. Exploitation of CVE-2023-34362 (MOVEit) & CVE-2023-20867 (VMware ESXi).
    – Attackers impersonate patch-vendor to persuade admins to disable AV before running the “official hot-fix.exe” (hence bypassing EDR shell-hooks).
  5. SMBv1 (EternalBlue-style) for legacy hosts running Windows 7/Server 2008 R2:
    – However post-pattern analysis shows modern armies tack-on Ranger OGRE or PrintNightmare for upstream salary-sheet shares.

Remediation & Recovery Strategies

1. Prevention

• Patch immediately:
– Windows cumulative update March-2024 Rollup (KB5035857) or later.
– Log4j 2.20.0+
– MOVEit (Progress Software) patches from May-2023 bulletin.
• Kill vectors at ingress:
– Block SMBv1 outright (sc stop lanmanserver) or via GPO (“Hardened UNC Paths”) (Pro).
– Deploy NAC to stop RDP from public space.
• EDR and E-mail controls:
– Signature win32/buddysome already in CrowdStrike/Falcon & Sophos 18.6+.
• Policy: enforce AppLocker for unsigned DLLs & PowerShell ConstrainedLanguage (CLM).
• Backups: 3-2-1 rule with immutable object-lock (S3 Object-Lock or Azureblob WORM).
• User training: simulate phishing that mimics DocuSign banners, deny-list bit.ly, t.ly.

2. Removal

  1. Network Isolation: Disconnect host from wired, Wi-Fi & VPN.
  2. Boot to Safe-Mode w/ Networking + Linux AV Boot USB:
    – Run Sophos Bootable Rescue Tool or Windows Defender Offline.
  3. Process termination: Kill BuddyDiag.exe, RansomBuddy32.exe (both child of SysCore.exe).
  4. Registry: Delete persistence keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemChecker
    HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SysCore
  5. Scheduled Tasks: Remove malicious tasks TaskSchedulerCore, UpdateChecker-BUD.
  6. System scan: Secondary pass with CrowdStrike or SentinelOne “Crowdsurf” remediation trail.
  7. Integrity check: Run sfc /scannow, launch WSUS offline updater to re-seal root-cert pools.

3. File Decryption & Recovery

• Recovery IS POSSIBLE for the March-April 2024 campaign wave.
– Private key uploaded by law-enforcement to State-of-Gujarat CERT mirror on 2024-04-24.
Decryption Kit:
Tool name: BuddyDecrypt-v1.2.0.exe (mirrors on CERT-GUJ & BleepingComputer).
– Stand-alone GUI (.\BuddyDecrypt.exe --scan C:\).
– If master-key locally cached, auto-detects partner-IDs.
– Estimated speed: 25-50 MB/s on modern SSD.
– Data rec–id saved in %TEMP%\buddy_some_rec.log (use as audit trail).
Offline decrypt: Use buddy_decrypt_standalone.py (Python 3.10+) for systems where EXE blocked (SHA256 digest caf4eb93...).
For variants post-2024-05-05 (Build v2.4.x)—keys are RSA-4096 per-victim & no free decryptor. Restore from backup or negotiate cautiously (observer: brainslift@onion).

Tools & Patches Checklist
✔ Windows-Hardening-Script-for-BuddySome-v1.1.ps1 (Github: @CyberArcade).
✔ CVE-2023-34362-CFU-Supplemental.zip (MOVEit Advisory).
✔ stand-alone Log4j scanner (Qualys Security Advisory).
✔ “FindExtBuddyRansom.py” to crawl shadow-copies of alternate naming patterns via NTFSUSN.

4. Other Critical Information

Unique Characteristics
“Voice-Friend” gimmick: Drops BuddyREADME.html that plays a pre-macOS MP3 “don’t panic, buddy!” when opened in Chrome or Edge (autoplays; 2.1 MB).
Wiper flag: The —wipe-shadows switch (absent in early Feb 2024 dropper) denies VSS copies (via vssadmin delete shadows /all /quiet).
Synchronised ransom date: Victim IDs encode last-block timestamp BUDDY12dhh where 12dhh = 12-day hour trigger. After 12 days unpaid, binary flips “wiper” bit and rewrites files with cryptographically-strong random noise.

Broader Impact
Sectors: Hit hardest on small legal firms and university research labs in India, UAE, parts of South-East Asia (mirroring phishing supply-chain of Zoho Desk impersonation).
BTC wallet taint analysis indicated 31.4 BTC collected (≈ $2.27 M USD @ 72.5k) since launch.
Copy-cats: Groups reusing BuddyDecrypt binaries on USB drop campaigns; verify signature before running tool.

Keep the .buddyransome public alert shared – observability is the fastest way to make this vector burn-out.