builder

[Content by Gemini 2.5]

Comprehensive Guide to the “Builder” Ransomware

Disclaimer: This document is for educational, defensive, and incident-response purposes only. Sharing current, publicly available information about threats helps the community learn, prepare, and protect itself.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Encrypted files are given the fixed extension “.builder” appended after the original extension.
    Example: Quarterly_Report.xlsxQuarterly_Report.xlsx.builder

  • Renaming Convention:
    Files retain their original base name and first extension; “.builder” is simply tacked on.
    The campaign does not add a new prefix or random characters, making a quick manual overview possible.

2. Detection & Outbreak Timeline

  • Approximate First Appearance:
    – Initial samples surfaced mid-January 2024.
    – Wider, aggressive wave hit late February 2024 (sudden spike in ID-Ransomware submissions plus Hunter and Bitdefender telemetry).
  • Current Status (June 2024):
    – Still circulating in several parallel botnet “versions” that differ only in ransom note content, not encryption keys.

3. Primary Attack Vectors

| Vector | Description | Example / IOC |
|—|—|—|
| Phishing e-mails | Docx or HTA attachments contain malicious VBA/HTA/ISO droppers | Subject: “Overdue Shipment Invoice – Action Required” |
| Exploit Kits (kept alive) | Leverages Firefox/Chromium 0-days when updated EDR agents are absent | CVE-2024-21326 (WebP RCE) patched Jan 24 |
| Exposed RDP | Port 3389 brute-force and previously-cred-stuffed credentials | Common passwords: test123, Password2024! |
| Pirated software | Fake “AutoCAD keygen”, “Photoshop pre-cracked installer” bundles Builder | Hash: e1db9a520763fa9… |
| Source-code Tampering | Incident reports in April 2024 show source-control compromise of small dev teams, resulting in infected builds | Jenkins CI / GitHub templates |
| Internal LAN Propagation | Uses credential-dumping (Mimikatz) + Psexec/WMI; no built-in wormable exploit (unlike EternalBlue) | Lateral command: wmic process call create “c:\users\public\builder.exe” |

Remediation & Recovery Strategies

1. Prevention – the “Builder Checklist”

  1. Patch aggressively:
    – Chrome/Edge/Chromium apps updated to ≥ 123.0.6312.xx (WebP & ScriptEngine fixes)
    – Windows KB5034441 (CVE-2024-21326)
    – Adobe Reader/Acrobat June 2024 bulletin
  2. Zero-trust RDP:
    – Restrict to VPN/IP allow-list + MFA (Azure, Duo, Okta, etc.)
    – Change default RDP port and enforce NLA/Network Level Authentication.
  3. Disable Office macros by default via Group Policy.
  4. Application whitelisting (Microsoft Defender ASR rules or third-party EDR).
  5. Email hygiene:
    – SPF, DKIM, DMARC.
    – Sandboxing attachments (Mimecast, Microsoft 365 Safe Attachments).
  6. Critical file-system audit to catch mass-renaming events (Sysmon Event ID 26 / EDR alerts).

2. Infection Cleanup – Step-by-Step

  1. Isolate at switch / firewall level (port, IP, or user MAC).
  2. Boot from safe media (e.g., Windows PE, Kaspersky Rescue Disk).
  3. Kill persistence entries:
  • Scheduled Task: \Task Scheduler\Library\Microsoft\Windows\WindowsBackup\BuilderTasks
  • Registry RUN: HKCU\Software\Microsoft\Windows\CurrentVersion\Run → “BuilderCrypt”
  1. Scan with updated tool stack:
  • Malwarebytes 5.x detects as Ransom.Builder.Trojan
  • Tron script + Sophos Bootable AV
  1. Delete malicious artifacts (typically in %TEMP%\bbs-code\, C:\Users\Public\builder.exe, payload DLL @sxnb.dll).
  2. Change all user passwords and rotate privileged service accounts.

3. File Decryption & Recovery

  • Can files be decrypted now?
    No free public decryptor yet. Builder uses Salsa20 + Curve25519 elliptic key; all keys are stored attack-side.

  • Feasible routes:

  • Paying the ransom (not recommended by most national CERTs). Average Dec 23 – Feb 24 price: 0.55 BTC, pays within 36 h. Note Chainalysis indicates ≈ 70 % of paid wallets do deliver working decryptor.

  • Shadow-Copy / Volume Snapshot Service (VSS) still present in many 2024 builds unless run with vssadmin delete shadows /all /quiet. Always quick-check before formatting.

  • Windows System Restore Points (rstrui.exe) if not purged.

  • Backup recovery: Offline, immutable (i.e., Veeam Copy to air-gapped S3 with Object-Lock 7-day WORM).

  • File-recovery carving where very small files overwritten rather than moved: PhotoRec or commercial tools like R-Studio.

  • Essential Tools / Patches

  1. Windows Defender signatures 1.325.1.x or later (Builder variant #202402).
  2. CVE-2024-21326 cumulative update via Windows Update.
  3. RDPGuard or Windows Defender Credential Guard to prevent lateral spread.

4. Other Critical Information

  • Ransom note location:
    Every affected folder contains BUILDER-DECRYPT.txt and builder_contact_readme.txt, but the note is identical text-only, no PNG – unusual compared to no-stop image notes.

  • C2 Communication:
    – Uses plain HTTP POST on port 443 to Discord CDN webhook disguised as API image hosting (i.e., discordapp.com/api/webhooks/bb-y34-5f…). Blacklists EDR-regions via GeoIP avoidance, skipping Russian, Belarusian hosts.

  • Unusual Feature: “Squatter” persistence. The malware creates duplicate service accounts named after popular open-source build agents (jenkins_slave, gitlab-runner, _github_agent) to hide on CI/CD boxes.

  • Implications / Lessons:
    – The February clamp-down showed how CI/CD pipelines amplify reach: one infected nightly build created 13 distinct customer footholds.
    – Insurance claims in Q1/2024 cite “Builder” as top-ten cause; key suggestion by carriers: enforce immutable 3-2-1 backups, zero-trust build infra (Sigstore), and credential-mining monitoring on release boxes.

Recommended Containment Playbook Cheat-Sheet

| Phase | Tactic | Tool / Command | Key Hint |
|—|—|—|—|
| Detect | File rename hunt | PowerShell: Get-ChildItem -Recurse -Filter *.builder | Catch early |
| Contain | Disrupt C2 | DNS sinkhole: discordapp.com/*builder* | Quick breather |
| Eradicate | Scheduled tasks | schtasks /delete /tn "BuilderTasks" /f | Standard sneaky |
| Recover | Restore VSS | vssadmin list shadowsvssadmin revert shadow | Speed > ransom |
| Harden | Patch & MFA | Group Policy to kill macros, enable MFA on RDP | Never again |

Remember: The mere presence of “.builder” files does not confirm active malware. Always snapshot RAM and correlate with the indicators above before taking destructive recovery steps.