What is Boost Ransomware?
Boost Ransomware is a variant of the notorious Dharma ransomware family. Once activated, it encrypts files on the victim's system, alters filenames, and leaves behind two ransom notes: one displayed in a pop-up window and another saved in a file named "FILES ENCRYPTED.txt."
Table of Contents
Modifications to File Names
Upon encryption, Boost Ransomware appends a unique identifier, the email address boston.crypt@tuta.io, and the ".boost" extension to each filename. For example, a file named initially "picture.png" would be renamed to "picture.png.id-9ECFA84E.[boston.crypt@tuta.io].boost."
Ransom Notes and Demands
The ransom notes inform victims that their files have been encrypted due to a security issue with their computer. Victims are instructed to email boston.crypt@tuta.io with their assigned ID to receive instructions on how to pay the ransom, which must be made in Bitcoin. The cost of decryption depends on how quickly the victim contacts the attackers. The notes warn against renaming encrypted files or using third-party decryption tools, as these actions could lead to permanent data loss or higher decryption costs.
Here is the example of Boost Ransomware's ransom note:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail boston.crypt@tuta.io
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:boston.crypt@tuta.io
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Details About the Dharma Ransomware Family
Ransomware from the Dharma family typically encrypts files stored locally and on network shares. It disables the firewall and deletes Volume Shadow Copies to hinder file recovery efforts. Dharma ransomware often spreads through compromised Remote Desktop Protocol (RDP) services, exploiting weak or poorly managed credentials.
Persistence Mechanisms
To ensure persistence, Dharma variants, including Boost Ransomware, copy themselves to specific system paths and create registry entries that run the malware upon system startup. They also gather location data and can exclude predefined locations from encryption.
Understanding Ransomware
Ransomware typically operates by encrypting files and demanding a ransom, often in cryptocurrency, for their decryption. Victims are provided with detailed payment instructions. However, paying the ransom does not ensure the recovery of the encrypted files. Therefore, it is essential to maintain backups of important files on remote servers or offline storage devices to minimize the risk of data loss and financial damage.
Examples of Other Ransomware Variants
Other ransomware variants similar to Boost include Jron Ransomware, AeR Ransomware, and Thx Ransomware, which employ similar encryption and ransom tactics.
Methods of Ransomware Infection
Dharma ransomware typically infiltrates systems via vulnerable RDP services, often through brute force or dictionary attacks that exploit weak passwords. Other standard infection methods include malicious email attachments or links, malvertising, pirated software, exploiting OS vulnerabilities, and using P2P networks, third-party downloaders, and compromised websites.
Preventive Measures
To avoid ransomware infections:
- Download applications and files only from official websites or app stores.
- Avoid using pirated software or cracking tools, and exercise caution with suspicious emails, ads, pop-ups, and download buttons on untrusted websites.
- Keep software and operating systems up to date and use reputable security tools.
Removing Boost Ransomware
If your computer is already infected with Boost Ransomware, it is recommended that you run a comprehensive scan with a reliable Windows antivirus program to remove the ransomware automatically.
The Importance of Regular File Backups
In the digital age, where ransomware attacks have become increasingly sophisticated and prevalent, maintaining regular backups of your important files is absolutely vital. Ransomware can infiltrate your system without warning, encrypting files and rendering them inaccessible unless a ransom is paid. However, even paying the ransom does not guarantee the safe return of your data. Regular backups act as a safety net, ensuring that you can restore your files without complying with cybercriminals' demands, thus avoiding potential financial loss and disruption. By keeping backups on external or cloud storage solutions that are not connected to your main system, you safeguard your data against ransomware and other forms of cyber threats, preserving the integrity and continuity of your digital life.
