Ransomware Resource – “.boruta”

---

Technical Breakdown

1. File Extension & Renaming Patterns

• Confirmation of file extension:
  „.boruta“ (lower-case, 6 letters, no wild-cards).
  Example:
  Contract.docx → Contract.docx.boruta

• Secondary artifact:
  Every folder receives a plain-text ransom note buy_bitcoins.wav.boruta.readme.txt.
  The wave file is an empty 0-byte placeholder that simply carries the extension so victims notice the note immediately.

• No prefix/suffix tokens – victim ID, Email, or campaign tag are NOT inserted in filenames (contrary to many new families). Attribution relies on the note and the registry marker HKCU\SOFTWARE\BRT\ (= „BoruTa“).

2. Detection & Outbreak Timeline

• First public submission: 2023-10-17 (ANY.RUN, Malware-Bazaar) – therefore the cluster is also referenced internally as “Boruta-Oct23”.
• Peak activity window: mid-Oct 2023 – Jan 2024; still circulating but at a lower volume.
• Country distribution (telemetry): Poland 38 %, Germany 21 %, USA 16 %, remainder Europe & LatAm.

3. Primary Attack Vectors

1. Phishing with ISO/IMG lures (70 % of analysed cases)
   – Email pretending to be “invoice” / “overdue payment”.
   – ISO contains a .BAT or .CMD that fetches the Boruta DLL from:
   hxxps://cdn-discordapp[.]com/attachments/…/borcore.dll (Discord CDN abused as free host).
2. Smoking RDP (open 3389 or leaked credentials) – 20 %
   – Once inside the attacker performs “living-off-the-land” to disable WD via powershell “Set-MpPreference -DisableRealTimeMonitoring $true”, then deploy borcore.dll.
3. Pirated software bundles / fake game cracks (10 %)
   – uTorrent-promoted fake “Windows 11 activator” (boruta.exe wrapped by InnoSetup).

4. Encryption Internals (quick view)

• Language: C/C++ x64, statically links Crypto++ 8.7.
• Symmetric element: ChaCha20 (256-bit random key per file).
• Asymmetric wrapper: Public EC secp256r1 key embedded.
• No data exfiltration module; purely encrypt & extort.

---

Remediation & Recovery Strategies

1. Prevention – essential first lines

✔ Patch OS & 3rd-party software (especially browsers, MS Office, 7-Zip – all were used for ISO download chain).
✔ MFA on all external RDP / VPN gateways or move RDP behind a VPN.
✔ Disable ISO auto-mount on mail clients & Windows Explorer (a Group-Policy kills the click-less double-extension trick).
✔ Application whitelisting (AppLocker / WDAC): block %TMP%\*.bat, %TMP%\*.ps1, %Public%\boruta*.exe by hash & path.
✔ Keep offline, versioned backups with at least 1 copy on immutable storage (object lock / tape).

2. Removal / Eradication

1. Disconnect NIC/Wi-Fi to avoid later stage lateral tasks (it occasionally drops a back-door).
2. Boot into Safe-Mode + Networking.
3. Delete (or quarantine) these artefacts:

• %UserProfile%\AppData\Local\Temp\borcore.dll
• %ProgramData%\Microsoft\Windows\borsvc.exe (persistence service)
• Registry run-key:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BRTUpdater = "C:\ProgramData\Microsoft\Windows\borsvc.exe"

1. Re-enable Windows Defender / 3rd-party AV, pull latest signatures – they detect the family as:
   Ransom:Win64/Boruta!pz, Trojan.Win32.Filecoder.Boruta, Ransom-Boruta.[variant].
2. Scan all mapped shares with a reputable on-demand scanner (Emsisoft Emergency Kit, Kaspersky Virus Removal Tool).
3. Change all local & cached domain credentials – the dropper harvests them and sells them post-attack.

3. Decryption & Data Recovery

• Status: NO free decryptor yet.
• Reason: Keys are generated on-the-fly (ChaCha20) and the EC private key never leaves the attacker’s server.
• Action plan:

1. Check for shadow copies (vssadmin list shadows) – Boruta deletes them but sometimes fails on large volumes (I/O timeout).
2. Undelete / carve: Boruta renames, does NOT wipe original data; if the volume was SSD & TRIM is on, success rate is low – try PhotoRec / R-Studio nonetheless.
3. Look for automatic Windows backups, OneDrive / Google-Drive local cache, 3rd-party repo folders that were excluded from encryption.
4. Negotiation / paying – we discourage payment, but if business-critical, engage an incident-response firm to verify decryptor integrity; the threat actor supplies a C++ decryptor that works but it is single-threaded (1 MB/s) – factor 1 day / 100 GB.
5. Keep an image of encrypted drives – should a private-key leak or a flaw be discovered, you can bulk-decrypt later.

4. Essential Tools / Patches

• Microsoft Security Bulletin (Oct 2023 cumulative) – fixes CVE-2023-36563 (the MSCDT vector used in early spam wave).
• Office patch: CVE-2023-36884 – blocks inline-script in Publisher docs which contained the first stage ISO downloader.
• “Discord abuse” IOC list – DNS sink or block cdn.discordapp.com for unsigned EXE/DLL by proxy/NGAV.
• Emsisoft free tool “Ransomware.Info” – auto-identifies Boruta by extension & note then links to latest information.
• MSFT Sysinternals Autoruns v.15 – clean persistent registry artefacts mentioned above.

5. Other Critical Information

• Unique characteristics:
  – UAC bypass with fodhelper.exe instead of the classic CMSTPLUA (borrowed from POORTRY).
  – Boruta deliberately avoids systems with the Polish word “Rachunkowość” (Accounting) in computer name – analysts suspect the group is Polish and strives to stay below home-country radar.
  – Victim-ID is stored in the registry but is NOT embedded in the file extension, so you must open the ransom note to obtain the correct ID for support chats.

• Broader impact / notable effects:
  – Average demand is 0.35 BTC, but increases to 0.7 BTC if contacted after 72 hours.
  – The operators run a TOR panel (hxxp://boruta27[p8]jxkasqvcjtnvt7n6cwirc7dm7netjpm45qe6obr6xqd[.]onion) that also sells stolen RDP credentials; therefore even victims who pay remain on a “re-use” list.

---

Bottom line:
There currently is no free decryption route. Recovery hinges on ➊ intact backups, ➋ surviving shadow copies, or ➌ engaging the criminals (last resort). Prevent the infection by hardening mail filters, disabling macro & ISO auto-run, patching the CVEs above, and enforcing MFA on RDP. Share this resource – every defended host shrinks Boruta’s profit pool.