Thursday, March 28, 2024

RaaS – Hackers Selling Buran Ransomware in Russian Forum That Encrypt All Version of Windows OS & Windows Server

Researchers uncovered a new ransomware family named “Buran” ransomware that works as a Ransomware-as-a-Service(RaaS) model and actively selling in a well-known Russian forum.

Ransomware authors advertising in well known Russian underground forums and the Buran Ransomware compatible with all versions of the Windows OS and Windows server.

Unlike other RaaS based ransomware such as GandCrab that earned 30% – 40% of revenue, Buran ransomware authors take only 25% of the revenue generated via infection.

Authors also willing to negotiate the price to anyone who can guarantee a high level of infection rate in a large number of systems, and the ads provide details about the affiliation, flexible functionality and support 24/7.

Buran Ransomware
Buran Advertisement in Russian Forum

Buran Ransomware developed with certain limitations, and it will not infect the specific CIS segment regions, which are Soviet Republics – Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Also, if the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish the process with an “ExitProcess”.

Based on the TTPs and artifacts in the system, the researcher believes that that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin of this malware family.

Buran Ransomware Infection Analysis

Buran Ransomware infects Windows users with the help of RIG Exploit Kit, a well-known exploit kit used by hundred of malware and ransomware families.

RIG Exploit Kit uses a severe Internet Explorer vulnerability (VBScript Engine, Arbitrary Code Execution) CVE-2018-8174 to exploit the targeted victim’s system.

Successful exploitation will drop the Buran ransomware into the system. Packer and malware have written by Delphi language that makes the static analysis more difficult.

The researcher observed that the ransomware has 2 different versions. Compared to the first version, the second has observed a lot of improvements.

Buran Ransomware
Buran Ransomware Version Comparision

Researchers learned some of the main differences such as Shadow copies delete process, Backup catalog deletion, System state backup deletion, Ping used as a sleep method.

The ransomware is completely packed and the goal of the packer is to decrypt the malware making a RunPE technique to run it from memory.

According to McAfee’s research, The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution.

After the successful infection, a ransom note is created inside the binary and will be dumped in execution to the victim’s machine.

Ransomware operators will find their victim using random Delphi functions, and the identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

Buran ransomware blacklist some of the files and folders during the infection to avoid break its functionality or performance.

According to Alexandre Mundo, a senior malware analyst in Mcafee, The sample used to analyze this ransomware using the following MITRE ATT&CK™ techniques:

  • Disabling Security Tools
  • Email Collection
  • File and Directory Discovery
  • File Deletion
  • Hooking
  • Kernel Modules and Extensions
  • Masquerading
  • Modify Registry
  • Network Service Scanning
  • Peripheral Device Discovery
  • Process Injection
  • Query Registry
  • Registry Run Keys / Start Folder
  • Remote Desktop Protocol
  • Remote System Discovery
  • Service Execution
  • System Time Discovery
  • Windows Management Instrumentation

Buran Encryption Process

Buran encryption starts with a specific folder of the victim’s computer such as a desktop folder and it can use threads to encrypt files.

During the process, It will encrypt the drive letters and folders grabbed before in the recognition process.

Once it completes its encryption process, the ransomware notes will be dropped in the disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!”

Buran Ransomware

All the encrypted files renamed to the same name as before with a new random extension. When compared to other RaaS family ransomware, Buran infection is slow, and the advertisement said that they are continuously improving their ransomware.

You can also read the complete Ransomware Attack Response and Mitigation Checklist.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles