Pierluigi Paganini November 12, 2019

The recently discovered ransomware-as-a-service (RaaS) Buran attempts to gain popularity by offering discounted licenses.

In May, researchers from McAfee’s Advanced Threat Research Team discovered a new piece of ransomware named ‘Buran.’ Buran is offered as a RaaS model, but unlike other ransomware families such as REVil, GandCrab the authors take 25% of the income earned by affiliates, instead of the 30% – 40%. Now the operators behind the Buran RaaS announced in their ads that all the affiliates will have a personal arrangement with them.

Operators’ ad states that Buran works with all versions of the Windows OS’s, but experts at McAfee explained that on older systems like Windows XP it doesn’t work.

Researchers also discovered that the ransomware will not infect any region inside the CIS segment of former Soviet Republics (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan).

The ransomare appears to be the evolution of the Jumper ransomware that is based on VegaLocker.

Operators behind this RaaS announced that they can negotiate the fee with anyone who can guarantee an impressive level of infection with the ransomware.

Buran is advertised as a stable malware that uses an offline cryptoclocker, 24/7 support, global and session keys, and has no third-party dependencies such as libraries. Below an excerpt of its ad:

"Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths;
High speed: a separate stream works for each disk and network path;
Skipping Windows system directories and browser directories;
Decryptor generation based on an encrypted file;
Correct work on all OSs from Windows XP, Server 2003 to the latest;
The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;" reads the ad.

"The completion of some processes to free open files (optional, negotiated); The ability to encrypt files without changing extensions (optional); Removing recovery points + cleaning logs on a dedicated server (optional); Standard options: tapping, startup, self-deletion (optional);
Installed protection against launch in the CIS segment.

McAfee experts believe that Buran ransomware was delivered through the Rig Exploit Kit. The Rig EK was exploiting the CVE-2018-8174 to deliver the Buran ransomware.

“In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.” reads the analysis published by McAfee.

The two versions analyzed by the experts are written in Delphi, one of them includes improvements on the other one. The malware will encrypt the files only if the machines are not in Russia, Belarus or Ukraine. 

The malware gain persistence using registry keys, below an example of the ransom note left on the infected system:

“Buran represents an evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions.” concludes the analysis. “We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them.” “It mimics some features from the big players and we expect the inclusion of more features in future developments.”

Pierluigi Paganini

(SecurityAffairs – Buran RaaS, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]