Friday, October 4, 2024
HomeExploitRaaS - Hackers Selling Buran Ransomware in Russian Forum That Encrypt All...

RaaS – Hackers Selling Buran Ransomware in Russian Forum That Encrypt All Version of Windows OS & Windows Server

Published on

Researchers uncovered a new ransomware family named “Buran” ransomware that works as a Ransomware-as-a-Service(RaaS) model and actively selling in a well-known Russian forum.

Ransomware authors advertising in well known Russian underground forums and the Buran Ransomware compatible with all versions of the Windows OS and Windows server.

Unlike other RaaS based ransomware such as GandCrab that earned 30% – 40% of revenue, Buran ransomware authors take only 25% of the revenue generated via infection.

- Advertisement - EHA

Authors also willing to negotiate the price to anyone who can guarantee a high level of infection rate in a large number of systems, and the ads provide details about the affiliation, flexible functionality and support 24/7.

Buran Ransomware
Buran Advertisement in Russian Forum

Buran Ransomware developed with certain limitations, and it will not infect the specific CIS segment regions, which are Soviet Republics – Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Also, if the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish the process with an “ExitProcess”.

Based on the TTPs and artifacts in the system, the researcher believes that that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin of this malware family.

Buran Ransomware Infection Analysis

Buran Ransomware infects Windows users with the help of RIG Exploit Kit, a well-known exploit kit used by hundred of malware and ransomware families.

RIG Exploit Kit uses a severe Internet Explorer vulnerability (VBScript Engine, Arbitrary Code Execution) CVE-2018-8174 to exploit the targeted victim’s system.

Successful exploitation will drop the Buran ransomware into the system. Packer and malware have written by Delphi language that makes the static analysis more difficult.

The researcher observed that the ransomware has 2 different versions. Compared to the first version, the second has observed a lot of improvements.

Buran Ransomware
Buran Ransomware Version Comparision

Researchers learned some of the main differences such as Shadow copies delete process, Backup catalog deletion, System state backup deletion, Ping used as a sleep method.

The ransomware is completely packed and the goal of the packer is to decrypt the malware making a RunPE technique to run it from memory.

According to McAfee’s research, The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution.

After the successful infection, a ransom note is created inside the binary and will be dumped in execution to the victim’s machine.

Ransomware operators will find their victim using random Delphi functions, and the identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

Buran ransomware blacklist some of the files and folders during the infection to avoid break its functionality or performance.

According to Alexandre Mundo, a senior malware analyst in Mcafee, The sample used to analyze this ransomware using the following MITRE ATT&CK™ techniques:

  • Disabling Security Tools
  • Email Collection
  • File and Directory Discovery
  • File Deletion
  • Hooking
  • Kernel Modules and Extensions
  • Masquerading
  • Modify Registry
  • Network Service Scanning
  • Peripheral Device Discovery
  • Process Injection
  • Query Registry
  • Registry Run Keys / Start Folder
  • Remote Desktop Protocol
  • Remote System Discovery
  • Service Execution
  • System Time Discovery
  • Windows Management Instrumentation

Buran Encryption Process

Buran encryption starts with a specific folder of the victim’s computer such as a desktop folder and it can use threads to encrypt files.

During the process, It will encrypt the drive letters and folders grabbed before in the recognition process.

Once it completes its encryption process, the ransomware notes will be dropped in the disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!”

Buran Ransomware

All the encrypted files renamed to the same name as before with a new random extension. When compared to other RaaS family ransomware, Buran infection is slow, and the advertisement said that they are continuously improving their ransomware.

You can also read the complete Ransomware Attack Response and Mitigation Checklist.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...