What is the BoY Ransomware?


Our research team recently identified a new ransomware program called BoY. This malicious software is part of the Xorist ransomware family and works by encrypting data and demanding payment for decryption. Files encrypted by this malware have an added ".BoY" extension, such as "1.jpg.BoY".

The ransom note tells victims that their files have been encrypted and they must pay for the decryption keys from the attackers in order to recover their data. The cost of these recovery tools is 0.06 BTC, which is equivalent to approximately 1,300 USD at current crypto prices.

Like with most ransomware variants, decryption without the tool provided by the cyber criminals is usually impossible. In addition to this, victims very often do not receive the promised decryption keys or software tools even after they pay the ransom.

For this reason, it is strongly advised against paying any ransom demands as there are no guarantees that doing so will result in successful data recovery. Paying also supports illegal activity and should be avoided at all costs.

To protect yourself from ransomware attacks, it is important to keep your computer and software up-to-date with the latest security patches. Additionally, you should always have a reliable backup of your data stored in an external drive or cloud storage service. This way, if you ever become a victim of ransomware, you can restore your files without having to pay the ransom.

The BoY ransomware note

The full text of the note used by the BoY ransomware reads as follows:


All your files have been encrypted!
Files can only be decrypted with the keys that have been generated for your PC!
The amount you have to pay to get the keys is 0.06 Bitcoin
We do not accept another payment method!

This is where you need to send bitcoin:

After sending, contact us at this email address: boyka@tuta.io
With this subject: -

Use the sites below to quickly buy bitcoin

Another list of sites can be found here:

After confirming the payment, you will receive a tutorial and the keys for decrypting the files.

What are double extortion tactics in ransomware?

Double extortion tactics are a common tactic used by ransomware actors to increase their chances of receiving payment from victims. Double extortion involves the attackers not only encrypting the victim’s data, but also threatening to publish or leak it if the ransom is not paid. This type of attack is becoming ever more popular as it gives the attackers more leverage and increases their chances of getting paid.

In most cases, the attackers will first encrypt the victim’s data using a strong encryption algorithm, making it impossible for them to access their files without paying a ransom. Once this has been done, they will then threaten to publish or leak the encrypted data unless they receive payment in return. The threat of having sensitive information leaked can be enough to convince some victims to pay up, even if they don’t have access to their own data anymore.

The double extortion tactic is often used in combination with other tactics such as phishing emails and malicious software downloads in order to increase its effectiveness. For example, an attacker may send out a phishing email containing a malicious attachment that installs ransomware on the victim’s computer. Once installed, the ransomware will then encrypt all of the victim’s files and demand payment for decryption.

January 19, 2023