burn

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends the exact extension .burn to every encrypted file.
  • Renaming Convention:
    Original name → <original_filename>.<original_extension>.burn
    Example: Report_2023.xlsx becomes Report_2023.xlsx.burn

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: The first wide-scale infections tagged as “.burn ransomware” were observed late-December 2022. The spike continued through Q1 2023 with scattered campaigns resurfacing in mid-2023.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP brute-force & credential stuffing – Attackers scan the Internet for hosts exposing TCP/3389 and repeatedly try leaked passwords.
  2. Phishing e-mails carrying ISO/IMG or macro-laced MS Office files that drop the “burn” payload. The ISO files often evade basic e-mail filters that block classic executable attachments.
  3. Exploitation of unpatged Microsoft Exchange ProxyNotShell (CVE-2022-41082 / CVE-2022-41040) and FortiGate SSL-VPN (CVE-2022-42475) – Used in subsequent intrusions to drop the payload after initial foothold.
  4. Weaponized pirated software & game cracks spread through torrents; the installer silently installs “burn” alongside the expected software.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Disable public-facing RDP or restrict it via VPN + MFA; enforce strong password policies.
    • Patch Exchange, FortiOS, Windows and any SMB-enabled devices immediately (cover ProxyNotShell and EternalBlue).
    • Enable e-mail filtering to quarantine ISO and macro documents; also block file types that execute JS or VBS inside ISOs.
    • Deploy EDR/NGAV rules that look for living-off-the-land tools (PowerShell, WMI, certutil) launching suspicious payloads.
    • Maintain immutable, offline backups—3-2-1 strategy with at least one yearly restore test.

2. Removal

  1. Isolate: Disconnect the host from LAN/Wi-Fi; disable Wi-Fi cards and unplug Ethernet.
  2. Boot into Safe Mode with Networking or use a clean “recovery USB” created on a known-clean machine.
  3. Scan & Clean:
    • Run Malwarebytes, Sophos Virus Removal Tool, or Microsoft Defender Offline in Safe Mode.
    • Inspect Scheduled Tasks, Run/RunOnce registry keys, WMI subscriptions and startup folders for suspicious .bat, .vbs, or random GUID executables—remove them.
  4. Hunt persistence: Use free tools such as Autoruns64, GMER or Kaspersky’s TDSSKiller to confirm no rogue drivers or rootkits survive.
  5. Patch & Reboot: Apply the latest OS, Exchange, FortiOS and application patches; reboot normally and test.

3. File Decryption & Recovery

  • Recovery Feasibility: At the time of writing there is no public decryptor for .burn. The malware uses a cryptographically secure combination of RSA-2048 + AES-256 that meets modern standards.
  • What you CAN do:
    • Try Shadow Copies (vssadmin list shadows)—in some early variants the ransomware forgot to wipe them.
    • Search for utilities that decrypt files based on “burn/burn32” master keys (none currently, but check NoMoreRansom.org every few weeks).
    • Use photo-recovery tools such as PhotoRec (open-source) if the encryption “re-named but didn’t over-write” residual data on spinning disks.
  • Essential Tools/Patches:
    • Microsoft Defender (March 2023+ signature updates) fully detects many “burn” droppers.
    • Exchange & FortiOS patches referenced above are critical.
    • EBR (Emergency Boot Rescue) ISO from Bitdefender can safely boot and remove hidden encryptor services.

4. Other Critical Information

  • Unique Characteristics & Broader Impact:
    .burn writes ransom notes as Restore_My_Files.txt into every directory as well as on the desktop background; it also appends five faux “error” icons in ProgramData to disguise itself.
    • Unlike typical families, it does not terminate protected processes such as antivirus GUI, but silently unhooks AMSI via reflective PowerShell to evade behavioral detection.
    • The ransom amount has historically floated between $980–$1980 in Monero (XMR) with “discounts” if victims respond within 72 h.
    • Geographically, .burn hit Eastern-European SMBs hardest, accounting for ≈30 % of tracked cases on dark-web leak sites.
    • A decryption database leak appeared on a hacker forum in Oct-2023; if the decryptor surfaces, NoMoreRansom will usually host it within 24–48 h. Enable Google alerts for “.burn decryptor site:nomoreransom.org” to stay informed.

Quick Decision Tree for Victims

  1. Isolate → 2. Remove → 3. Check backups → 4. Evaluate ransom vs. revenue but never pay unless business continuity is in danger AND legal counsel permits → 5. Rebuild or clean-restore → 6. Patch + train users.

Stay safe—preparation beats panic.