Digital forensics specialists report the emergence of Buran, a new scheme for any user to acquire everything necessary to deploy a ransomware attack (a practice known as ransomware-as-a-service).
According to the reports, this ransomware is able to exploit known vulnerabilities on devices with Windows operating system, and it is even possible to find it for a special price on the occasion of the Black Friday, because the malware operators want to spread it to any possible implementation.
This ransomware has been active for at least
half a year, claim experts in digital forensics. In addition, from some
collected samples it has been proven to be a variant created from the code of
VegaLocker, an ancient strain of ransomware.
Operators of this ransomware have been actively
detected on multiple Russian-language hacking forums, ensuring that Buran has
advanced features such as offline encryption, flexible functionalities and even
a support service 24 hours a day.
In addition to these features, McAfee’s digital
forensics experts ensure that something very attractive to stakeholders is
buran’s price. Malware operators demand 25% of the ransoms obtained by
attackers, as opposed to 30% or even 40% that other ransomware-as-a-service
platforms demand. As if that weren’t enough, Buran’s developers also declare
themselves willing to negotiate their profit percentage with anyone who is in a
position to deploy a large-scale infection.
There is still no indication of Buran’s likely
operators, although a report from security firm Bromium mentions that a
starting point of investigation relates to a user identified as
“buransupport” in various hacking forums.
Regarding the operation of Buran, digital
forensics specialists at the International Institute of Cyber Security (IICS)
mention that Buran infects target Windows systems after exploiting a known
remote code execution vulnerability (CVE-2018-8174).
In their posts, the hackers claim that this
ransomware is capable of infecting any version of the Windows 10 OS, however,
the tests conducted by the McAffee security team showed that Buran is simply
incompatible with some versions of the OS, especially Windows XP.
So far two different versions of the malware
have been detected, both written in Delphi; According to the reports, the
hackers created the two versions to dodge the protection measures of a target
system, as well as to prevent any researcher from reverse engineering these
variants.
Another key feature of this ransomware is its
ability to detect if a device is connected to any government network. In case
of finding a device connected to networks of the government of Russia, Belarus
or Ukraine, the attack stops automatically, experts assure.
The ransomware-as-a-service practice has grown
significantly for a couple of years, with the variant known as GandCrab being
one of the first and most popular services of its kind, although just a few
weeks ago its operators announced that would stop updating their versions of
the encryption malware.
