The Buran Ransomware, a newly discovered strain of malware has been found to be marketed as a Ransomware-as-a-Service (RaaS) among cybercriminal communities, and the developers of the malicious software have been offering discounted rates and negotiable offers to those who want to use the malware.
A report from McAfee’s Advanced Threat Research Team, who first observed the existence of Buran ransomware back in May 2019, said that an announcement had been posted in a popular Russian forum marketing the ransomware with some sort of a discount.
The team who discovered the announcement said that the Buran ransomware has been spotted in the wild for the past six months and has joined the ranks of other RaaS providers like REVil, GandCrab (now defunct), Phobos, etc.
The authors of the malware are charging their criminal clients lesser money for the Buran ransomware than other ransomware organizations spotted in the wild. The McAfee’s report reveals that they are charging 25% of the income earned by affiliates, instead of the 30% – 40% that other notorious ransomware families are charging per campaign. Negotiation is also possible for those who can guarantee an impressive level of infection with Buran, and the quote will be negotiated individually per affiliate who wants to run a Buran ransomware infection campaign.
“They are negotiated individually for each advert depending on volumes and material,” reads the conclusion of the advertisement. “Start earning with us!”
The advert describes the different features that the Buran ransomware, an evolution of the popular VegaLocker ransomware, can offer to its prospect affiliates. One of the things they highlighted is the availability of 24/7 support from the authors. Buran is said to be an offline crypto locker with “flexible functionality.” Other functionalities include:
- Reliable cryptographic algorithm using global and session keys + random file keys;
- Scan all local drives and all available network paths;
- High speed: a separate stream works for each disk and network path;
- Skipping Windows system directories and browser directories;
- Decryptor generation based on an encrypted file;
- Correct work on all OSs from Windows XP, Server 2003 to the latest;
- The locker has no dependencies, does not use third-party libraries, only mathematics, and vinapi
In addition, the authors of the ransomware are also offering optional functionalities that can be availed by their criminal affiliates, depending on their demand. These functionalities include:
- The completion of some processes to free open files (optional, negotiated);
- The ability to encrypt files without changing extensions (optional);
- Removing recovery points + cleaning logs on a dedicated server (optional);
- Standard options: tapping, startup, self-deletion (optional);
- Installed protection against launch in the CIS segment.
The advertisement claims that the Buran ransomware works all versions of the Windows OS’s, however, further analysis by the cybersecurity team reveals that the marketed version of the ransomware does not work in old systems like Windows XP. The ransomware also would not infect any region inside the CIS segment, which includes: Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
The researchers also noted that the Buran ransomware is an evolved version of ransomware that was earlier launched, and this could mean that the current version is still being modified to be stronger than it is at the moment.
“Buran represents the evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users, and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions. We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them,” the report reads.