Friday, June 14, 2024

RaaS – Hackers Selling Buran Ransomware in Russian Forum That Encrypt All Version of Windows OS & Windows Server

Researchers uncovered a new ransomware family named “Buran” ransomware that works as a Ransomware-as-a-Service(RaaS) model and actively selling in a well-known Russian forum.

Ransomware authors advertising in well known Russian underground forums and the Buran Ransomware compatible with all versions of the Windows OS and Windows server.

Unlike other RaaS based ransomware such as GandCrab that earned 30% – 40% of revenue, Buran ransomware authors take only 25% of the revenue generated via infection.

Authors also willing to negotiate the price to anyone who can guarantee a high level of infection rate in a large number of systems, and the ads provide details about the affiliation, flexible functionality and support 24/7.

Buran Ransomware
Buran Advertisement in Russian Forum

Buran Ransomware developed with certain limitations, and it will not infect the specific CIS segment regions, which are Soviet Republics – Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Also, if the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish the process with an “ExitProcess”.

Based on the TTPs and artifacts in the system, the researcher believes that that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin of this malware family.

Buran Ransomware Infection Analysis

Buran Ransomware infects Windows users with the help of RIG Exploit Kit, a well-known exploit kit used by hundred of malware and ransomware families.

RIG Exploit Kit uses a severe Internet Explorer vulnerability (VBScript Engine, Arbitrary Code Execution) CVE-2018-8174 to exploit the targeted victim’s system.

Successful exploitation will drop the Buran ransomware into the system. Packer and malware have written by Delphi language that makes the static analysis more difficult.

The researcher observed that the ransomware has 2 different versions. Compared to the first version, the second has observed a lot of improvements.

Buran Ransomware
Buran Ransomware Version Comparision

Researchers learned some of the main differences such as Shadow copies delete process, Backup catalog deletion, System state backup deletion, Ping used as a sleep method.

The ransomware is completely packed and the goal of the packer is to decrypt the malware making a RunPE technique to run it from memory.

According to McAfee’s research, The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution.

After the successful infection, a ransom note is created inside the binary and will be dumped in execution to the victim’s machine.

Ransomware operators will find their victim using random Delphi functions, and the identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

Buran ransomware blacklist some of the files and folders during the infection to avoid break its functionality or performance.

According to Alexandre Mundo, a senior malware analyst in Mcafee, The sample used to analyze this ransomware using the following MITRE ATT&CK™ techniques:

  • Disabling Security Tools
  • Email Collection
  • File and Directory Discovery
  • File Deletion
  • Hooking
  • Kernel Modules and Extensions
  • Masquerading
  • Modify Registry
  • Network Service Scanning
  • Peripheral Device Discovery
  • Process Injection
  • Query Registry
  • Registry Run Keys / Start Folder
  • Remote Desktop Protocol
  • Remote System Discovery
  • Service Execution
  • System Time Discovery
  • Windows Management Instrumentation

Buran Encryption Process

Buran encryption starts with a specific folder of the victim’s computer such as a desktop folder and it can use threads to encrypt files.

During the process, It will encrypt the drive letters and folders grabbed before in the recognition process.

Once it completes its encryption process, the ransomware notes will be dropped in the disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!”

Buran Ransomware

All the encrypted files renamed to the same name as before with a new random extension. When compared to other RaaS family ransomware, Buran infection is slow, and the advertisement said that they are continuously improving their ransomware.

You can also read the complete Ransomware Attack Response and Mitigation Checklist.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles