In May, researchers from McAfee’s Advanced Threat Research Team discovered a new piece of ransomware named ‘Buran.’ Buran is offered as a
Researchers also discovered that the ransomware will not infect any region inside the CIS segment of former Soviet Republics (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan).
Operators behind this RaaS announced that they can negotiate the fee with anyone who can guarantee an impressive level of infection with the ransomware.
Buran is advertised as a stable malware that uses an offline
"Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream
worksfor each disk and network path; Skipping Windows system directories and browser directories; Decryptorgeneration based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;" reads the ad.
"The completion of some processes to free open files (optional, negotiated); The ability to encrypt files without changing extensions (optional); Removing recovery points + cleaning logs on a dedicated server (optional); Standard options: tapping, startup, self-deletion (optional); Installed protection against launch in the CIS segment.
“In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.” reads the analysis published by McAfee.
The two versions analyzed by the experts are written in Delphi, one of them includes improvements on the other one. The malware will encrypt the files only if the machines are not in Russia, Belarus or Ukraine.
The malware gain persistence using registry keys, below an example of the ransom note left on the infected system:
“Buran represents an evolution of a well-known player in the ransomware landscape.
(SecurityAffairs – Buran RaaS, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.