RaaS – Hackers Selling Buran Ransomware in Russian Forum That Encrypt All Version of Windows OS & Windows Server

Researchers uncovered a new ransomware family named “Buran” ransomware that works as a Ransomware-as-a-Service(RaaS) model and actively selling in a well-known Russian forum.

Ransomware authors advertising in well known Russian underground forums and the Buran Ransomware compatible with all versions of the Windows OS and Windows server.

Unlike other RaaS based ransomware such as GandCrab that earned 30% – 40% of revenue, Buran ransomware authors take only 25% of the revenue generated via infection.

Authors also willing to negotiate the price to anyone who can guarantee a high level of infection rate in a large number of systems, and the ads provide details about the affiliation, flexible functionality and support 24/7.

Buran Ransomware developed with certain limitations, and it will not infect the specific CIS segment regions, which are Soviet Republics – Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Also, if the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish the process with an “ExitProcess”.

Based on the TTPs and artifacts in the system, the researcher believes that that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin of this malware family.

Buran Ransomware Infection Analysis

Buran Ransomware infects Windows users with the help of RIG Exploit Kit, a well-known exploit kit used by hundred of malware and ransomware families.

RIG Exploit Kit uses a severe Internet Explorer vulnerability (VBScript Engine, Arbitrary Code Execution) CVE-2018-8174 to exploit the targeted victim’s system.

Successful exploitation will drop the Buran ransomware into the system. Packer and malware have written by Delphi language that makes the static analysis more difficult.

The researcher observed that the ransomware has 2 different versions. Compared to the first version, the second has observed a lot of improvements.

Researchers learned some of the main differences such as Shadow copies delete process, Backup catalog deletion, System state backup deletion, Ping used as a sleep method.

The ransomware is completely packed and the goal of the packer is to decrypt the malware making a RunPE technique to run it from memory.

According to McAfee’s research, The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution.

After the successful infection, a ransom note is created inside the binary and will be dumped in execution to the victim’s machine.

Ransomware operators will find their victim using random Delphi functions, and the identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

Buran ransomware blacklist some of the files and folders during the infection to avoid break its functionality or performance.

According to Alexandre Mundo, a senior malware analyst in Mcafee, The sample used to analyze this ransomware using the following MITRE ATT&CK™ techniques:

• Disabling Security Tools
• Email Collection
• File and Directory Discovery
• File Deletion
• Hooking
• Kernel Modules and Extensions
• Masquerading
• Modify Registry
• Network Service Scanning
• Peripheral Device Discovery
• Process Injection
• Query Registry
• Registry Run Keys / Start Folder
• Remote Desktop Protocol
• Remote System Discovery
• Service Execution
• System Time Discovery
• Windows Management Instrumentation

Buran Encryption Process

Buran encryption starts with a specific folder of the victim’s computer such as a desktop folder and it can use threads to encrypt files.

During the process, It will encrypt the drive letters and folders grabbed before in the recognition process.

Once it completes its encryption process, the ransomware notes will be dropped in the disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!”

All the encrypted files renamed to the same name as before with a new random extension. When compared to other RaaS family ransomware, Buran infection is slow, and the advertisement said that they are continuously improving their ransomware.

You can also read the complete Ransomware Attack Response and Mitigation Checklist.