Tuesday, March 5, 2024

RaaS – Hackers Selling Buran Ransomware in Russian Forum That Encrypt All Version of Windows OS & Windows Server

Researchers uncovered a new ransomware family named “Buran” ransomware that works as a Ransomware-as-a-Service(RaaS) model and actively selling in a well-known Russian forum.

Ransomware authors advertising in well known Russian underground forums and the Buran Ransomware compatible with all versions of the Windows OS and Windows server.

Unlike other RaaS based ransomware such as GandCrab that earned 30% – 40% of revenue, Buran ransomware authors take only 25% of the revenue generated via infection.

Authors also willing to negotiate the price to anyone who can guarantee a high level of infection rate in a large number of systems, and the ads provide details about the affiliation, flexible functionality and support 24/7.

Buran Ransomware
Buran Advertisement in Russian Forum

Buran Ransomware developed with certain limitations, and it will not infect the specific CIS segment regions, which are Soviet Republics – Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Also, if the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish the process with an “ExitProcess”.

Based on the TTPs and artifacts in the system, the researcher believes that that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin of this malware family.

Buran Ransomware Infection Analysis

Buran Ransomware infects Windows users with the help of RIG Exploit Kit, a well-known exploit kit used by hundred of malware and ransomware families.

RIG Exploit Kit uses a severe Internet Explorer vulnerability (VBScript Engine, Arbitrary Code Execution) CVE-2018-8174 to exploit the targeted victim’s system.

Successful exploitation will drop the Buran ransomware into the system. Packer and malware have written by Delphi language that makes the static analysis more difficult.

The researcher observed that the ransomware has 2 different versions. Compared to the first version, the second has observed a lot of improvements.

Buran Ransomware
Buran Ransomware Version Comparision

Researchers learned some of the main differences such as Shadow copies delete process, Backup catalog deletion, System state backup deletion, Ping used as a sleep method.

The ransomware is completely packed and the goal of the packer is to decrypt the malware making a RunPE technique to run it from memory.

According to McAfee’s research, The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution.

After the successful infection, a ransom note is created inside the binary and will be dumped in execution to the victim’s machine.

Ransomware operators will find their victim using random Delphi functions, and the identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

Buran ransomware blacklist some of the files and folders during the infection to avoid break its functionality or performance.

According to Alexandre Mundo, a senior malware analyst in Mcafee, The sample used to analyze this ransomware using the following MITRE ATT&CK™ techniques:

  • Disabling Security Tools
  • Email Collection
  • File and Directory Discovery
  • File Deletion
  • Hooking
  • Kernel Modules and Extensions
  • Masquerading
  • Modify Registry
  • Network Service Scanning
  • Peripheral Device Discovery
  • Process Injection
  • Query Registry
  • Registry Run Keys / Start Folder
  • Remote Desktop Protocol
  • Remote System Discovery
  • Service Execution
  • System Time Discovery
  • Windows Management Instrumentation

Buran Encryption Process

Buran encryption starts with a specific folder of the victim’s computer such as a desktop folder and it can use threads to encrypt files.

During the process, It will encrypt the drive letters and folders grabbed before in the recognition process.

Once it completes its encryption process, the ransomware notes will be dropped in the disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!”

Buran Ransomware

All the encrypted files renamed to the same name as before with a new random extension. When compared to other RaaS family ransomware, Buran infection is slow, and the advertisement said that they are continuously improving their ransomware.

You can also read the complete Ransomware Attack Response and Mitigation Checklist.


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles