‘Buran’ new ransomware evolved from VegaLocker

the latest hacking news

A new ransomware family named ‘Buran’ a stable offline cryptolocker, with flexible functionality and support 24/7 is taking on competitors through discounted rates.

According to McAfee researchers, Buran was first detected in May  2019, by Alexandre Mundo and Marc Rivero Lopez. 

Buran appears to be focusing on establishing personal relationships with criminal customers. Buran works as Raas model like other ransomware families such as REVil, GandCrab, Phobos etc.

Buran originates from VegaLocker and Jumper and is believed to be the next stage in evolution due to similar behaviours, artefacts and tactics techniques and procedures (TTPs) found within its code. These include registry changes, the types of files stored in temporary folders extension overlapping, and the creation of shadow copies.

The 25% income earned by affiliates instead of the 30% – 40% numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all affiliates would have a personal arrangement with them.

The features of malware;

  • Scan all local drives and network paths
  • Contains optional features including the encryption of files without changing extensions 
  • Removing recovery points and cleaning  logs on a dedicated server
  • Backup catalogue deletion
  • Standard options: tapping, startup, self-deletion.

“Malware authors evolve their malware code to improve it and make it more professional,” McAfee says. “Trying to be stealthy to confuse security researchers and AV companies could be one reason for changing its name between revisions.”

The Rig exploit kit was using CVE-2018-8174 Microsoft Internet Explorer VBScript Engine, Arbitrary Code Execution to exploit in the client-side. After successful exploitation, this vulnerability will deliver Buran ransomware in the system.

Two versions of Buran, written in Delphi have been found so far– the second of which contains improvements on the original. The malware will check to see if the victim machine is registered in Russia, Belarus or Ukraine, and if these checks come back positive, Buran will exit.

The rate, too, can be negotiated “with anyone who can guarantee an impressive level of infection with Buran,” said the researchers.

The announcement says that Buran is compatible with all versions of the Windows OS’s and Windows Server and also that they will not infect any region inside the CIS segment. The CIS segment belongs to ten former Soviet Republics: Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.

After making sure the malware can create files and store them in temporary folders, Buran will create registry keys to maintain persistence, assign the victim an ID, encrypt files and post a ransom note.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin, and Twitter.

You may be interested in reading: Click2Mail Suffers Data Breach


Please rate this content