Vulnerability Management

Buran ransomware detailed, found to be based on VegaLocker

As any good marketer knows announcing a new product with an effective ad campaign is always a great way to drum up interest.

Which is exactly what the actors behind Buran ransomware did when they rolled it out on a well-known dark web forum as a ransomware as a service (RaaS) offering earlier this year, according to McAfee researchers Alexandre Mundo and Marc Rivero Lopez who took a deep dive into the malware.

The ad as it appeared on the dark web:

Buran is a stable offline cryptolocker, with flexible functionality and support 24/7.

  • Reliable cryptographic algorithm using global and session keys + random file keys;
  • Scan all local drives and all available network paths;
  • High speed: a separate stream works for each disk and network path;
  • Skipping Windows system directories and browser directories;
  • Decryptor generation based on an encrypted file;
  • Correct work on all OSs from Windows XP, Server 2003 to the latest;
  • The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;
  • The completion of some processes to free open files (optional, negotiated);
  • The ability to encrypt files without changing extensions (optional);
  • Removing recovery points + cleaning logs on a dedicated server (optional);
  • Standard options: tapping, startup, self-deletion (optional);
  • Installed protection against launch in the CIS segment.

Conditions: They are negotiated individually for each advert depending on volumes and material. Start earning with us!

On the business side of the operation McAfee researchers found the actors behind Buran take a 25 percent cut of the take from their customers, which is less than the 30 to 40 percent others demand and are willing to negotiate on price.

Operationally, McAfee found that while the malware does have country protection the only members of the Commonwealth of Independent States (CIS) protected are the Russian Federation, Belarus and the Ukraine.

Buran is delivered through the Rig EK, which in this case exploits the CVE-2018-8174, a Microsoft Internet Explorer VBScript engine, arbitrary code execution vulnerability. An examination of the code, written in Delphi, found Buran is actually an evolution of VegaLocker ransomware.

There are two versions of Buran currently in use with the newer one, Buran 2, capable of deleting shadow copies using WMI, backup catalog deletion, System state backup deletion and as a poor anti-evasion technique, Buran will use ping through a ‘for loop’ in order to ensure the file deletion system, the researchers said.

McAfee noted that Buran is an effective tool.

“For the binaries, all of them appeared with a custom packer and already came with interesting features to avoid detection or to ensure the user must pay due to the difficulty of retrieving the files. It mimics some features from the big players and we expect the inclusion of more features in future developments," the report said.

Mundo and Rivero Lopez concluded that the fact that there are two versions already available indicates the developers will continue to make changes and improvements and possible could also include a new branding effort.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.