Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Bucbi Ransomware Revived, Distributed via Brute-Forcing RDP Accounts

Bucbi-ransomware-original-ransom-note-palo-alto-stforumSecurity researchers at Palo Alto Networks disclosed that an old ransomware family – Bucbi ransomware – has been just revived after 2 years of silence. The Bucbi threat was discovered in 2014, and it hasn’t been registered active since then. Not only it has been revived but it has also been updated. Above, you see the original ransom note used by Bucbi in 2014’s attacks.

Threat Summary

Name Bucbi Ransomware
Type Ransomware
Short Description Bucbi ransomware was first spotted in 2014, but has been just revived.
Symptoms The victim’s files are inaccessible and encrypted.
Distribution Method Via brute-forcing RDP accounts.
Detection Tool See If Your System Has Been Affected by Bucbi Ransomware

Download

Malware Removal Tool

User Experience Join our forum to find a solution for Bucbi Ransomware.

Bucbi Ransomware: Current Distribution

When it was first reported, Bucbi was spread via HTTP downloads and exploit kits. Now a new distribution technique has been adopted by its authors – delivery via brute-forcing RDP accounts on Internet-facing Windows servers. However, Bucbi’s code is also modified – it no longer needs Internet connection to propagate.

Learn More about Brute Force Attacks

Who Is Behind Bucbi Ransomware?

According to the ransom notes dropped by Bucbi, it’s operated by a far-right Ukrainian nationalist political party called Ukrainian Right Sector. According to Wikipedia, Right Sector has originated in 2014 as a paramilitary confederation at the Euromaidan revolt in Kiev. The group which opposes Russia became a political party on 22 March 2014. In 2014, Right Sector claimed to have approximately 10,000 members.

As for Bucbi’s recent attacks, it’s still not known whether the information about Right Sector provided in the ransom notes is accurate or falsified. However, multiple Russian identifiers have been discovered in the latest infections, which contradict to the ransomware authors’ claims of Ukrainian origin.

Bucbi Ransomware: Technical Overview

As already mentioned, Bucbi’s latest distribution depends on brute-forcing techniques and open RDP (Remote Desktop Protocol) ports. Palo Alto researchers believe that the threat actors may have used a tool named RDP Brute (Coded by z668). This is a list of the IP addresses associated with Bucbi’s latest attacks at the end of March 2016:

  • 184.197.69
  • 44.191.251
  • 117.151.236
  • 161.40.11
  • 101.31.126

Researchers also believe that the attackers first targeted PoS devices but later changed their tactics to monetize their malicious attempts. Palo Alto researchers have shared some of the usernames specific to PoS systems:

Some of the usernames specific to PoS systems include strings such as BPOS, FuturePoS, KahalaPoS, POS, SALES, Staff, and HelpAssistant.

More technical details of the attack find here: Palo Alto Networks Research Center

In conclusion, the latest variant of Bucbi ransomware implies to have been employed by Right Sector. If this claim is truthful, this would mean that the Ukranian far-right party has entered cybercrime, possibly to fund their cause, Palo Alto researchers write. However:

Attribution of this particular attack is difficult as there simply isn’t enough evidence to conclusively determine who is behind it. Various conflicting evidence make it impossible to say for sure. However, what is clear is that attackers are shifting tactics in how ransomware is deployed, and ensuring their malware is constantly being updated to deter defenders.

Bucbi Ransomware Removal & Decryption

Bucbi’s cryptography is still being investigated. More details will be available soon. It’s known that after the encryption process is finished, a README.txt will be placed on the user’s desktop:

Bucbi-txt-file-palo-alto-stforum

The BitCoin address mentioned in the above screenshot has a single payment of 0.00896 BTC at the time of writing. This payment, being so low in value, was likely a test transaction used. The email address of ‘dopomoga.rs@gmail.com’ has ties with the Ukrainian Right Sector in a number of external publications […].

If you have been infected by Bucbi ransomware, consider following the steps below. However, since the threat is still being analyzed, there is no guarantee that encrypted files will be decrypted via any alternative methods.

Manually delete Bucbi Ransomware from your computer

Note! Substantial notification about the Bucbi Ransomware threat: Manual removal of Bucbi Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Bucbi Ransomware files and objects
2.Find malicious files created by Bucbi Ransomware on your PC
3.Fix registry entries created by Bucbi Ransomware on your PC

Automatically remove Bucbi Ransomware by downloading an advanced anti-malware program

1. Remove Bucbi Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Bucbi Ransomware in the future
3. Restore files encrypted by Bucbi Ransomware
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.