BOK Ransomware

The BOK Ransomware is part of a RaaS (Ransomware as a Service) scheme released in 2017. PC security analyst shave witnessed a marked increase in RaaS threat families in 2017 alone, making it clear that this is an industry that is becoming quite profitable. The BOK Ransomware is being promoted on the Dark Web actively, and its various features, including support for TOR based command and control servers, and other specific features of the BOK Ransomware are advertised widely.

How the BOK Ransomware Attacks a Computer

There is little that differentiates the BOK Ransomware from most other ransomware Trojans active currently. The BOK Ransomware will use strong encryption algorithms to make the victims' files inaccessible, preventing the victims from recovering their data unless they agree to pay a ransom. Con artists will pay for the BOK Ransomware as a service, allowing them to download a customized version of the BOK Ransomware that they can then use to attack computer users by distributing it in their preferred way. The following is a template of the ransom note that is displayed in a BOK Ransomware attack:

!!! IMPORTANT INFORMATION!!!!
the BOK Ransomware
All of your files are encrypted RSA-2048 AES-128 ciphers.
More information about the RSA AES can be found here:
http://en.wikipedia.org/wiki/RSA (cryptosystem)
http://en.wikipedia.org/wiki/Advanced Encryption Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
https://"$sitedomain1".tor2web.org/"$Personalid"
http://"$sitedomain1".onion.to/"$Personalid"
https://"$sitedomain2".tor2web.org/"$Personalid"
http://"$sitedomain2".onion.to/"$Personalid"
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialisation.
3. Type in the address bar: "$sitedomain1".onion/"$Personalid" or "$sitedomain2".onion/"$Personalid"
4. Follow the instructions on the site.
!!! Your personal identification ID: "$Personalid"!!!

The con artists can download the source code of the BOK Ransomware by paying $2800 USD, while others can pay by allowing the BOK Ransomware's creators to keep a large percentage of the profits from the BOK Ransomware attacks. The people responsible for the BOK Ransomware RaaS manage things like support, development, troubleshooting, and other features (just as many developers do with legitimate software).

How the BOK Ransomware Attack is Carried Out

The BOK Ransomware may be delivered to victims through the use of corrupted email attachments. These email messages will often use corrupted scripts to download and install the BOK Ransomware on the victim's computer. Once on the victim's computer, the BOK Ransomware will search for the following file types (300 in total), encrypting them with a strong encryption algorithm that is impossible to decipher without the decryption key:

.7zip, .aac, .accdb, .accde, .accdr. .accdt, .ach, .acr. .act, .adb, .adp, .ads, .aes, .agdl, .aiff, .ait, .aoi, .apj, .apk, .ARC, .arw, .asc, .asf, .asm, .asp, .aspx,.asset, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .brd, .bsa, .cdf, .cdr, .cdr3, .cdr4,.cdr5, .cdr6, .cdrw, .cdx, .cer, .cfg, .cgm, .cib, .class, .cmd, .cmt, .config, .contact, .cpi, .cpp, .craw, .crt, .crw, .csh, .csl, .csr, .csv, .CSV, .d3dbsp, .dac, .das, .dat, .dbf, .dbjournal, .dbx, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der. .des, .design, .dgc, .dif, .dip, .djv. .djvu. .dng. .doc, .dlt,.DOC, .docb, .docm, .docx, .dot, .DOT, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .els, .eml, .eps, .erbsql. .erf, .ess, .exf, .fdb, .ffd, .fff, .fhd,.fit, .fla, .flac, .flv, .flvv, .forge, .fpx, .frm, .fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .hbk, .hdd, .hpp, .html, .hwp, .Iay6, .ibank, .ibd, .Ibf, .ibz, .Idf, .idx, .iif, .iiq, .incpas, .indd, .Itx, .iwi,.jar, .java, .jnt, .jpe, .jpeg, .jpg, .kdbx, .kdc, .key .kpdx, .kwm, .laccdb, .lay, .lit, .litemod, .litesql, .log, .lua, .m2ts, .mapimail, .max, .mbx,.mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mpeg, .mpg, .mrw, .ms11, .msg, .myd, .MYD,.MYI, .ndd, .ndf, .nef, .NEF, .nop, .nrw, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nxl, .nyf, .oab, .obj, .odb, .ode, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil,.onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .pab, .pages, .PAQ, .pas, .pat, .pcd, .pdb, .pdd, .pdf, .pef, .pem, .pet, .pfx, .php, .pic, .pif, .plus muhd, .png,.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .PPT, .pptm, .pptx, .prf, .psafeS. .psd, .pspimage, .pst, .ptx, .pwm, .qba, .qbb, .qbm, .qbr, .qbw, .qbx,.qby, .qcow, .qcow2, .qed, .raf, .rar, .rat, .raw, .rdb, .rtf, .RTF. .rvt, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sda, .sdf, .sldm, .sldx, .slk, .zip.

The BOK Ransomware is probably based on CrytoLocker, a known and effective ransomware Trojan. Since it may be impossible to deal with the files encrypted by the BOK Ransomware currently, you should take preventive measures, such as installing a reliable security program and having file backups of your data.