bulwark7

[Content by Gemini 2.5]

Ransomware Profile – .bulwark7

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .bulwark7 (e.g., report.xlsx.bulwark7, backup.zip.bulwark7).
  • Renaming Convention: After encryption the Trojan keeps the original name and simply appends the literal string .bulwark7. No additional fields (random IDs, attacker e-mail, etc.) are inserted. NTFS alternate data streams are not modified; only the primary data stream is renamed.

2. Detection & Outbreak Timeline

  • Initial Wild Sightings: First reported in private incident-response channels on 03 Nov 2023.
  • Public Outbreak Escalation: Mid-December 2023 global uptick (cluster of 50+ orgs in 1 week) driven by a phishing wave tagged “PurchaseOrderNov_#.7z.lnk”.
  • On-going Activity: Active as of June 2024; variant polishing continues (no structural cryptography changes).

3. Primary Attack Vectors

  1. Spear-phishing – Lure ZIP 7-zip or RAR archives containing a booby-trapped one-line HTA (mshta.exe) → staged payloads fetched over Tor2Web proxy.
  2. Exposed Remote Desktop (RDP, TCP 3389) – Brute force & “living-off-the-land” PowerShell download cradle.
  3. Listed software exploits (post-compromise privilege escalations)
    • CVE-2023-34362 MOVEit Transfer pre-auth SQLi + subsequent Powershell dropper.
    • VMware vCenter RCE (CVE-2021-21972) on internal network if lateral-move tool kits are present.
  4. WMI & Scheduled-Task propagation – Self-propagation once inside; no specific wormable SMB exploit seen to date.

Remediation & Recovery Strategies

1. Prevention

| Control | Action |
|———|——–|
| Patch cadence | Apply the MS monthly cumulative + July 2023 Exchange cumulative + MOVEit patches (RCE patch June 2023) – targets used by .bulwark7 affiliates. |
| E-mail and attachment hygiene | Block executables/archives at the mail-gateway; enforce attachment detonation and SPF/DKIM hard-fail policies. |
| RDP surface reduction | Move services behind VPN with MFA; disable NLA fallback; use “block-at-first-fail” IP blocking (e.g., Azure JIT RDG or CrowdStrike Falcon RDP Threat Hunting Rules). |
| Endpoint hardening | GPO to force Windows AMSI, ASR, Microsoft Defender “BlockCredentialStealingSyscalls”, & “Prevent Credential Dumping”; disable Office macros from Internet; isolate admin accounts to tier-0 forest. |
| Backup architecture | 3-2-1 with weekly offline/air-gap; Veeam repository with irreversible retention locks; immutable S3 ObjectLock for cloud.

2. Removal – Infection Cleanup

  1. Network isolation (dirty VLAN) → power-down all writable backup repositories.
  2. System imaging first – dd/FTK Imager from a Linux LiveCD to preserve evidence before any booting.
  3. **Boot into *Windows RE* or a Falcon IR Memory-Dump USB.
  4. Kill parent process tree (typically svhost.exe via WMI scheduled task) and delete:
  • C:\Users\Public\Libraries\clangreen.dat – encrypted AES key blob saved for slaves.
  • %TEMP%\kcframe.exe – decryptor stub launched later.
  • Registry persistence (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
  1. Run Windows Defender Offline or Kaspersky Rescue Disk (double-check via Command Prompt: sc query TermScat → ensure service gone).
  2. Patch any exploited vector (see above) and enumerate lateral-movement artifacts (\\AUTOEXEC.BAT, AD service accounts).

3. File Decryption & Recovery

  • Decryption Feasibility: At the moment, decryption by tooling is not possible.
    – Encryption is AES-256 CTR; master RSA-2048 public key stored in kcframe.exe resource section.
    – No public/private-leak avail (as of 15 Jun 2024).
  • Primary Recovery Path: Clean-system restore from hardened backups or negotiate decryption with attackers (verify decryptor first via SHA-256 of sample file).
  • Crucial Tools/Patches:
  1. MOVEit Transfer patches (patch to 2023.0.6 or 2023.1.3) – stops only post-exploitation step.
  2. Microsoft EMS “Defender for Endpoint + ASR rules” baselined GPO.
  3. Yara rule (CrowdStrike) – detect early-stage implant:

    rule bulwark7_dropper {
    strings:
    $s1 = "kcframe.exe" wide ascii
    $s2 = { 48 89 5C 24 08 48 89 7C 24 10 55 48 8D 2D }
    condition: uint16(0) == 0x5A4D and ($s1 and $s2)
    }

4. Other Critical Information

  • Unique Characteristics
    – Uses Windows ICacls to grant “Everyone – Full Control” on all shares 30 s before encryption starts; prevents standard file-sharing locks from blocking encryption threads (accounts for reports of “files changing owners”).
    – After initial encryption, iterates twice: second pass rewrites the first 64 KB of each file with random bytes to guarantee overwrite before final rename (litigation-unfriendly shredding attempt).
    – Leaves ransom note -README-SOS.txt in every root folder; note contains .onion TOR chat portal + site canary signed with [email protected].

  • Broader Impact / Notable Incidents
    – Niche but aggressive: 70 % of observed victims are <500-seat law & accounting firms during US 2023 tax season.
    – Exfiltrated data (via MEGA sync tool) before encryption; therefore treat incidents as double-extortion regardless of ransom decision.