Boost Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 1 |
| First Seen: | May 31, 2024 |
| OS(es) Affected: | Windows |
Cybersecurity researchers have identified a new malware threat known as the Boost Ransomware. Once this ransomware infects a device, it begins encrypting a wide variety of file types and changing their original filenames. Victims are presented with two ransom notes: one displayed in a pop-up window and another in a text file named 'FILES ENCRYPTED.txt.'
The Boost Ransomware alters filenames by appending a victim-specific ID, the email address 'boston.crypt@tuta.io,' and the extension '.boost.' For example, a file named '1.png' is renamed to '1.png.id-9ECFA74E.[boston.crypt@tuta.io].boost,' and '2.pdf' is renamed to '2.pdf.id-9ECFA74E.[boston.crypt@tuta.io].boost.' Researchers have determined that the Boost Ransomware is a variant of the Dharma Ransomware family.
Table of Contents
The Boost Ransomware Seeks to Extort Victims for Money
The ransom note from the Boost Ransomware warns PC users that their files have been enciphered due to a security issue with their PC. To recover their files, victims are instructed to email 'boston.crypt@tuta.io' and include the provided ID. The note specifies that the ransom must be paid in Bitcoins, with the amount depending on how quickly the victim contacts the attackers. It also warns against renaming encrypted files or using third-party decryption software, as these actions could result in permanent data loss or higher decryption fees.
Ransomware variants from the Dharma family, including Boost, typically encrypt both local and network-shared files, disable the firewall, and delete the Shadow Volume Copies to prevent file recovery. They often spread through vulnerable Remote Desktop Protocol (RDP) services.
These ransomware variants maintain persistence by copying themselves to specific system paths and registering these copies with certain Run keys in the Windows registry. They also gather location data and can exclude predetermined locations from encryption.
Ransomware works by blocking access to files through encryption until a ransom, usually in cryptocurrency, is paid. Victims receive detailed instructions on how to pay to regain access to their files. However, paying the ransom is not a guarantee that access will be restored.
It is Crucial to Adopt a Comprehensive Security Approach against Malware and Ransomware Threats
Adopting a comprehensive security approach against malware and ransomware threats involves multiple layers of protection and proactive measures. Here's a detailed guide on how users can protect themselves:
- Implement Robust Endpoint Security: Anti-malware Software: Install reputable anti-malware solutions that provide real-time protection and regularly update their threat databases. Firewalls: Utilize both hardware and software firewalls to monitor and control the network traffic.
- Regular Software Updates and Patch Management: Operating Systems: Keep your operating system up to date with the latest security patches. Applications: Ensure all software applications are updated regularly, including web browsers, plugins, and any third-party software. Firmware: Update firmware for routers and other network devices to protect against vulnerabilities.
- Data Backup and Recovery Plan: Regular Backups: Perform regular backups of important data and ensure that backups are stored in multiple locations, including offline or cloud-based storage. Test Restorations: Periodically test backup restorations to keep data integrity and quick recovery in case of ainfection.
- Network Security Measures: Segment Networks: Segment your network to limit the spread of malware and ransomware across different parts of your organization. Secure Remote Access: Implement strong security measures for remote access, such as VPNs, multi-factor authentication (MFA), and secure RDP configurations.
- User Education and Awareness: Training Programs: Conduct regular cybersecurity training sessions to educate users on identifying phishing emails, suspicious links, and other common attack vectors. Simulated Attacks: Use simulated phishing attacks to test and improve user awareness and response to potential threats.
- Email and Web Security: Spam Filters: Use advanced spam filters to detect and block URL Filtering: Implement URL filtering to block access to known malicious websites.
- Secure Email Gateways: Utilize secure email gateways to scan incoming and outgoing emails for threats.
- Access Controls and Privilege Management: Least Privilege Principle: Implement the least privilege principle, ensuring users have the slightestt access necessary to perform their job functions. Account Management: Regularly review and update user accounts and permissions, removing access for inactive or former employees.
- Application Whitelisting and Blacklisting: Whitelisting: Allow only approved applications to run on your systems. Blacklisting: Block known malicious applications and executables.
By implementing these comprehensive security measures, users can significantly reduce their risk of malware and ransomware attacks and ensure they are prepared to respond effectively if an incident occurs.
The ransom note generated by the Boost Ransomware as a pop-up window reads:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail boston.crypt@tuta.io
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:boston.crypt@tuta.io
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The text file created by Boost Ransomware delivers the following message:
all your data has been locked us
You want to return?
write email boston.crypt@tuta.io'
SpyHunter Detects & Remove Boost Ransomware
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | file.exe | ecaabe4dd049bb5afb8da368fc99f7f4 | 1 |
