CYFIRMA Research and Advisory Team has found Boramae Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
The ransomware is designed to target Windows systems, utilizing advanced encryption methods and appending a distinct file extension to affected files. Its sophisticated evasion tactics and persistence mechanisms make detection and removal difficult. This highlights the importance of proactive cybersecurity defenses and a strong incident response strategy to protect data integrity and mitigate the risk of breaches.
Target Technologies: Windows
Encrypted file extension: .boramae
Observed First: 2025-03-04
Observed First By: CYFIRMA
Threat actor Communication mode: Mail, Session messenger
Researchers at CYFIRMA have recently observed a ransomware strain identified as Boramae.
The ransomware once entered into the victim’s system encrypts files, appending the “.boramae” extension to the original filenames. It leaves behind a ransom note titled “README.txt,” containing instructions for file recovery. The ransomware is also seen changing the desktop wallpaper.
Below is the ransom note README.txt
The ransom note pressures the victim to pay, claiming that only the attackers can decrypt the files within 20 minutes. It warns against using data recovery firms, alleging they will hinder decryption and profit as intermediaries. The attackers threaten to leak sensitive data, including financial records and employee information to other hacker groups if payment is refused. They also promise a 50% discount if paid within 12 hours and caution against attempting self-decryption, claiming it will corrupt the files.
| Tactic | ID | Technique/Sub Technique |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Persistence | T1542 | Pre-OS Boot |
| Persistence | T1542.003 | Bootkit |
| Persistence | T1543 | Create or Modify System Process |
| Persistence | T1543.003 | Windows Service |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Persistence | T1574 | Hijack Execution Flow |
| Persistence | T1574.002 | DLL Side-Loading |
| Privilege Escalation | T1055 | Process Injection |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Privilege Escalation | T1543 | Create or Modify System Process |
| Privilege Escalation | T1543.003 | Windows Service |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
| Privilege Escalation | T1547.001 | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Privilege Escalation | T1574 | Hijack Execution Flow |
| Privilege Escalation | T1574.002 | DLL Side-Loading |
| Defense Evasion | T1014 | Rootkit |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1027.005 | Indicator Removal from Tools |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1055 | Process Injection |
| Defense Evasion | T1070 | Indicator Removal |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1134 | Access Token Manipulation |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Defense Evasion | T1542 | Pre-OS Boot |
| Defense Evasion | T1542.003 | Bootkit |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1562 | Impair Defenses |
| Defense Evasion | T1562.001 | Disable or Modify Tools |
| Defense Evasion | T1564 | Hide Artifacts |
| Defense Evasion | T1564.001 | Hidden Files and Directories |
| Defense Evasion | T1574 | Hijack Execution Flow |
| Defense Evasion | T1574.002 | DLL Side-Loading |
| Credential Access | T1003 | OS Credential Dumping |
| Credential Access | T1056 | Input Capture |
| Credential Access | T1056.001 | Keylogging |
| Credential Access | T1552 | Unsecured Credentials |
| Credential Access | T1552.001 | Credentials In Files |
| Discovery | T1007 | System Service Discovery |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Discovery | T1135 | Network Share Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1518 | Software Discovery |
| Discovery | T1518.001 | Security Software Discovery |
| Discovery | T1614 | System Location Discovery |
| Discovery | T1614.001 | System Language Discovery |
| Lateral Movement | T1080 | Taint Shared Content |
| Collection | T1005 | Data from Local System |
| Collection | T1056 | Input Capture |
| Collection | T1056.001 | Keylogging |
| Collection | T1074 | Data Staged |
| Collection | T1114 | Email Collection |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1485 | Data Destruction |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1489 | Service Stop |
| Impact | T1496 | Resource Hijacking |
Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.
| SHA 256 | Remark |
| 5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96 | Block |
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
