In May, researchers from McAfee’s Advanced Threat Research Team discovered a new piece of ransomware named ‘Buran.’ Buran is offered as a
Researchers also discovered that the ransomware will not infect any region inside the CIS segment of former Soviet Republics (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan).
Operators behind this RaaS announced that they can negotiate the fee with anyone who can guarantee an impressive level of infection with the ransomware.
Buran is advertised as a stable malware that uses an offline
"Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream
worksfor each disk and network path; Skipping Windows system directories and browser directories; Decryptorgeneration based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;" reads the ad.
"The completion of some processes to free open files (optional, negotiated); The ability to encrypt files without changing extensions (optional); Removing recovery points + cleaning logs on a dedicated server (optional); Standard options: tapping, startup, self-deletion (optional); Installed protection against launch in the CIS segment.
“In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.” reads the analysis published by McAfee.
The two versions analyzed by the experts are written in Delphi, one of them includes improvements on the other one. The malware will encrypt the files only if the machines are not in Russia, Belarus or Ukraine.
The malware gain persistence using registry keys, below an example of the ransom note left on the infected system:
“Buran represents an evolution of a well-known player in the ransomware landscape.
(SecurityAffairs – Buran RaaS, malware)