According to the reports, this ransomware is able to exploit known vulnerabilities on devices with Windows operating system, and it is even possible to find it for a special price on the occasion of the Black Friday, because the malware operators want to spread it to any possible implementation.
This ransomware has been active for at least half a year, claim experts in digital forensics. In addition, from some collected samples it has been proven to be a variant created from the code of VegaLocker, an ancient strain of ransomware.
Operators of this ransomware have been actively detected on multiple Russian-language hacking forums, ensuring that Buran has advanced features such as offline encryption, flexible functionalities and even a support service 24 hours a day.
In addition to these features, McAfee’s digital forensics experts ensure that something very attractive to stakeholders is buran’s price. Malware operators demand 25% of the ransoms obtained by attackers, as opposed to 30% or even 40% that other ransomware-as-a-service platforms demand. As if that weren’t enough, Buran’s developers also declare themselves willing to negotiate their profit percentage with anyone who is in a position to deploy a large-scale infection.
There is still no indication of Buran’s likely operators, although a report from security firm Bromium mentions that a starting point of investigation relates to a user identified as “buransupport” in various hacking forums.
Regarding the operation of Buran, digital forensics specialists at the International Institute of Cyber Security (IICS) mention that Buran infects target Windows systems after exploiting a known remote code execution vulnerability (CVE-2018-8174).
In their posts, the hackers claim that this ransomware is capable of infecting any version of the Windows 10 OS, however, the tests conducted by the McAffee security team showed that Buran is simply incompatible with some versions of the OS, especially Windows XP.
So far two different versions of the malware have been detected, both written in Delphi; According to the reports, the hackers created the two versions to dodge the protection measures of a target system, as well as to prevent any researcher from reverse engineering these variants.
Another key feature of this ransomware is its ability to detect if a device is connected to any government network. In case of finding a device connected to networks of the government of Russia, Belarus or Ukraine, the attack stops automatically, experts assure.
The ransomware-as-a-service practice has grown significantly for a couple of years, with the variant known as GandCrab being one of the first and most popular services of its kind, although just a few weeks ago its operators announced that would stop updating their versions of the encryption malware.