The ransomware strain of VegaLocker provides the basis for the new Ransomware-as – a-service Buran which takes competitors at discounted rates.
Buran was initially discovered in May 2019, according to McAfee researchers Alexandre Mundo and Marc Rivero Lopez, and has now joined the ranks of other RaaS offerings including REVil and Phobos.
The Buran operators seem to focus on personal connections with criminal clients, first announced on the Russian website.
In total, the authors take 25 percent of illicit earnings produced by productive infections–a significant reduction on the 30-40% usually required by RaaS operators.
The price can also be negotiated “with anyone who can guarantee an impressive level of Buran infection,” say the researchers.
In the commercial, Buran is defined as a secure malware strain using an offline cryptoclocker, 24/7 supports, session and global keys and no third-party dependencies such as libraries.
The malware can also search local drives, network paths and includes optional features including file encryption without altering extensions, deleting recovery points and clearing logs, removal of the backup catalog and the means of self-deletion.
Buran operators say the ransomware is compatible with all versions of the Microsoft Windows operating system, although McAfee found that some older versions, including Windows XP, were immune during its investigation.
Rig exploit kit is the chosen delivery method for the latest ransomware family, and the CVE-2018-8174 vulnerability of Microsoft Internet Explorer’s VBScript Engine RCE is used to hack deployment machines.
So far, two Buran versions, written in Delphi, have been found, the second containing changes to the first. The malware will test if the victim is registered in Russia, Belarus or Ukraine, and Buran will leave if these tests are positive.
When the malware is able to create and store files in temporary directories, Buran creates registry keys that retain continuity, assigns a victim’s ID, encrypts files and posts a ransom note.
Buran comes from VegaLocker and Jumper and is thought to be the next step in evolution because of its language of different comportament, objects, and strategies, techniques and procedures (TTPs). It involves registry updates, file types stored in temporary files, variable duplication, and shadow copying.
“Malware authors are creating and professionalizing their malware software,” McAfee says. “Trying to confuse security researchers with AV firms could be one reason to change its name between revisions.” Last week SmarterASP.NET, the ASP.NET hosting company, was hit with a ransomware attack. Customer servers have been compromised and made inaccessible and the website of the host has been affected.
Forrester Research reports that ransomware attacks on the organization have risen annually by 500 percent.