In May, researchers from McAfee’s Advanced Threat Research Team discovered a new piece of ransomware named ‘Buran.’ Buran is offered as a RaaS model, but unlike other ransomware families such as REVil, GandCrab the authors take 25% of the income earned by affiliates, instead of the 30% – 40%. Now the operators behind the Buran RaaS announced in their ads that all the affiliates will have a personal arrangement with them.
Operators’ ad states that Buran works with all versions of the Windows OS’s, but experts at McAfee explained that on older systems like Windows XP it doesn’t work.
Researchers also discovered that the ransomware will not infect any region inside the CIS segment of former Soviet Republics (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan).
The ransomare appears to be the evolution of the Jumper ransomware that is based on VegaLocker.
Operators behind this RaaS announced that they can negotiate the fee with anyone who can guarantee an impressive level of infection with the ransomware.
Buran is advertised as a stable malware that uses an offline cryptoclocker, 24/7 support, global and session keys, and has no third-party dependencies such as libraries. Below an excerpt of its ad:
"Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream works for each disk and network path; Skipping Windows system directories and browser directories; Decryptor generation based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;" reads the ad.
"The completion of some processes to free open files (optional, negotiated); The ability to encrypt files without changing extensions (optional); Removing recovery points + cleaning logs on a dedicated server (optional); Standard options: tapping, startup, self-deletion (optional); Installed protection against launch in the CIS segment.
McAfee experts believe that Buran ransomware was delivered through the Rig Exploit Kit. The Rig EK was exploiting the CVE-2018-8174 to deliver the Buran ransomware.
“In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.” reads the analysis published by McAfee.
The two versions analyzed by the experts are written in Delphi, one of them includes improvements on the other one. The malware will encrypt the files only if the machines are not in Russia, Belarus or Ukraine.
The malware gain persistence using registry keys, below an example of the ransom note left on the infected system:
“Buran represents an evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions.” concludes the analysis. “We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them.” “It mimics some features from the big players and we expect the inclusion of more features in future developments.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Buran RaaS, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.