The BURAN ransomware is a dangerous new virus release which at the moment has not been analyzed in detail. A security researcher has reported that it is being distributed using common tactics. This can include the sending of phishing emails that impersonate well-known companies or services. The other approach is to craft malicious web pages that appear as legitimate and useful sites. They can carry dangerous files that can lead to an infection.
Such include the creation of malicious documents which can include all popular formats: presentations, text documents, spreadsheets and databases. The other carrier that is popular with hackers is the creation of application installers of software that is often downloaded and used by end users. They can alternatively be found via various file-sharing networks like BitTorrent. The BURAN ransomware can also infect victims via browser hijackers which are dangerous extensions made for the most popular applications. They are widely uploaded to the relevant repositories using fake user reviews and developer credentials.
In one of its most recent campaigns the BURAN ransomware is being distributed by the RIG Exploit KIT. This means that infections with it are to become much more common than other ransomware which are being distributed using other methods. In its latest iterations it intrudes onto other computers by exploiting weaknesses in Internet Explorer or other common web browsers. One of the popular vulnerabilities which are triggered in infections is being monitored in the CVE-2018-8174 advisory. This is a remote code execution exploit (RCE) which is found in the VBScript engine. It is during the runtime of many applications, including system ones, as well as document scripts (macros).
Threat Summary
Name | BURAN Ransomware |
Type | Ransomware, Cryptovirus |
Short Description | The ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them. |
Symptoms | The ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code. |
Distribution Method | Spam Emails, Email Attachments |
Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss BURAN Ransomware. |
Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
BURAN Ransomware — November 2019 New Ransom Note
A new release of the Buran ransomware has been discovered, this time assigning the .BB4-230-xxxx extension to the victim data. It is very likely that a new hacker collective has taken the original code and modified it to create this new version. Another possible source is an order on the underground market where customization options are readily available.
We presume that the criminals are going to implement the already known modules which may include system changes and the setup of the threat in a way which will make it very difficult to remove.
Like the previous versions the .BB4-230-xxxx Buran ransomware will encrypt user data in a similar way and append the necessary extension. To coerce the victims into paying the hackers a decryption fee a ransom note file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT.
BURAN Ransomware — November 2019 Update
In November 2019 a SPAM attack camapign has been found to target end users with the intention of carrying the Buran ransomware. The exact mechanism is the sending of IQY files in phishing email messages. They are designed to impersonate service documents or even personal messages that may be regarded as important and/or authentic. Some of the examples include the following:
- User Messages — Short setence messages that may appear to be from a friend or acquintance can be sent to the recipients.
- App Installers/Updates — The email messages may impersonate product notifications of popular applications. This is done by sending out emails that warn that the users need to install a new version of the product. The executable file will be linked or directly attached in the message.
- Common Scams — The criminals behind the Buran ransomware can use different social engineering techniques to manipulate the victims into downloading and running the virus files.
In this particular campaign the files that lead to the infection are IQY which are opened by Microsoft Excel. They are Web Querty attachments which will start commands leading to the virus installation.
Many of the messages will include a short message reading the following:
Print document in attach
The email is designed to appear as a forwarded message from an acquaintance. As soon as the attached file is opened Microsoft Excel will be opened. The file format is not a standard worksheet as it contains macros and PowerShell commands. The victim users will be shown a prompt asking them to enable the operations. This will trigger the virus infection by retrieving the ransomware from a remote hacker-controlled server. In the current campaign the file bears the name 1.exe.
The Buran ransomware will start with its associated behavior pattern by running the intended components. The encryption engine will process and rename the victim files. A ransom note will be created in a file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT.
BURAN Ransomware — Massive Germany Malicious SPAM Campaign
A new security report reads that there is an ongoing phishing campaign that sends out SPAM messages in bulk attempting to infect the recipients. It is very possible that the criminals behind the ongoing attack are using an automated toolkit or a network of servers in order to reach the necessary volume of attacks. According to the available security reports the active campaign has probably started in September and amassed a larger size this month.
The current version of the Buran ransomware has an extensive list of active modules and features. This makes it an even more dangerous threat as they will be run when the infections have completed. Once again the RIG Exploit Kit by further configuring the messages by loaction. The hackers will impersonate the eFax brand which is one of the most popular online fax services.
The email messages will be translated to the languages of the respective recipients — the ready-made templates will be translated by the hackers or by using any ready-made software. The posted links in the emails will lead to hacker-controlled sites that contain dynamic PHP scripts with Microsoft Word documents. New domains have been generated which is important in order to bypass most of the firewalls and intrusion detection systems which may not update their blacklists in time.
Some of the available modules that will be launched include the following:
- Persistent Installation — The malware engine can be installed in a way which will make it very hard to detect and remove the active infections. It can rename itself as a legitimate service, install itself as a system service and disable access to the recovery boot options.
- System Reconfiguration — The Buran ransomware will disable operating system services and user-installed applications including Windows Error Recovery and Automatic Startup Repair.
- Files Removal — The main engine will locate and remove sensitive data including Shadow Volume Copies.
- Security Systems Bypass — The malware engine will locate and delete any anti-virus or virtual machine hosts that are installed on the compromised machines. This is done in order to protect the Buran ransomware from discovery and this may also work with all associated files: event logs, configuration files and preferences.
- Windows Registry Values — The main Buran virus engine can be used to edit out existing strings that are found in the Windows Registry. This can include the creation of new ones that exist in the system, as well as editing of the ones that are used by the operating system and any other installed applications. The consequences of this action will include performance issues, data loss and unexpected errors.
- Information Retrieval — The latest versions of the Buran ransomware also has the capability of retrieving important information about the system and the stored data by installed applications. This can include log files, stored cookies and bookmarks from web browsers and saved projects from productivity and office programs.
Custom markers and identity information can be applied to every individual hosts. Other components can also be run depending on local conditions.
BURAN Ransomware — Update October 2019
A new Buran ransomware has been detected as of the beginning of October 2019. The differences lies in the new ransomware messages which are placed in files called ALL YOUR FILES ARE ENCRYPTED !!!.TXT and bear a new hacker contact email. These virus samples have also been found to include a wide variety of complex modules that include rich functionality. As soon as the virus is deployed onto the given host it will create a process for itself and impersonate system functionality. By doing so it can also disable access to the recovery boot options which will prevent the users from entering into the recovery modes.
The BURAN ransomware will hide from the system by modifying the system certificates and impersonating system processes. This is done by suppressing the errors and failures during the boot-up process. In addition the main engine can hookup to numerous processes — both system and user applications. This means that processes can also be faked by the virus. These steps are done in order to make the initial intrusion to the target computers.
As soon as this is done an information harvesting module will be started. It is configured to extract a variety of data including the following:
- Kernel Debugger Information
- Internet Explorer Security Settings
- System Data
- Active Computer Name
- Cryptographic Machine ID
- External IP Address
The contaminated hosts will be checked if they are live by constantly pinging them from the hacker-controlled servers and other hacked hosts. To make the virus infection more dangerous the main engine can delete certain types of files: system volume copies, backups, restore points and valuable user data. This means that victims of the BURAN ransomware will need to use a professional-grade data recovery software along with the anti-spyware utility to recover their files.
The BURAN ransomware can also harvest any stored credentials in memory or in the configuration files ,specifically looking for remote desktop keys. They are used when the usesr have set up the Remote Desktop feature. When this is enabled these keys will be placed in the system. When the service is enabled and the hackers have access to them they will be able to login to the computers using the operating system. This allows them to control the system through this thereby removing the need to deploy a dedicated Trojan.
Changes will also be made to the Windows Registry which includes the creation of new ones that are attributed to the virus and the modification of already existing ones. This can lead to various dangerous effects such as data loss, performance issues and the inability to start certain functions.
From there on the usual ransomware process will continue.
BURAN Ransomware — Update September 2019
A new wave of attacks carrying the Buran ransomware have been spotted in a recent attack campaign. The security analysis reveals that the method of distribution which is chosen by the hackers is a massive phishing email-based spam attack. The criminals have designed the messages to bear the logo and design of a legitimate service — eFax. The emails that are sent to the victims are designed as delivery notifications and the users are urged into opening up the attached documents. They are usually text documents that are designed to appear as safe and legitimate. As soon as they are opened a prompt will appear asking the victims to enable the built-in scripts. If this is done the virus infection will follow.
Once the infection is launched a series of actions will be started. They are executed according to the built-in instructions or the specific hacker code. One of the captured samples has been found to execute the following pattern:
- Windows Registry Changes — The main engine can be used to commit changes to the Windows Registry. This can result in the inability to run certain functions, data loss and unexpected errors. If changes to existing strings are made then the users may not be able to run programs in their prescribed manner.
- Boot Options Changes — The Buran ransomware can edit the boot options which can install the virus as a persistent threat. This means that the virus will be automatically started and the victims will have no way of accessing the recovery options.
- Sensitive Data Removal — The captured samples have been found to locate and delete sensitive user files such as backups, shadow volue copies and archives.
- Network Propagation — The Buran ransomware can ping other hosts located on the same network or the Internet. This is particularly useful when a Trojan client is carried alongside the ransomware. It can choose an online hacker-controlled server that can be reached. Through it the criminals can take over control of the associated hosts, steal their data and lead to other infections.
- Application Hookup and Proces Manipulation — They can be used to kill running apps and control what they are doing.
UPDATE JUNE 6, 2019. It’s now known that Buran ransomware is [wplinkpreview url=”https://sensorstechforum.com/rig-ek-dropping-buran-ransomware/”] currently being dropped by RIG exploit kit. A security researcher known as nao_sec was the first to notice a malvertising campaign redirecting users to the RIG EK which then drops the Buran ransomware on infected systems. There is still no decrypter for Buran but such may be released in the near future. To be prepared for a possible encryption, victims of the ransomware are advised to make a backup of the HKEY_CURRENT_USER\Software\Buran Registry key, their ransom note, and they encrypted files. These are needed for a possible decryption.
BURAN Ransomware – What Does It Do?
As soon as the virus is deployed onto a given host the main engine will start the relevant components. The sequence and exact commands can be determined by certain local conditions or by the hackers in general via the attack parameters. The initial deployment can include boot changes that will manipulate the system into starting the BURAN ransomware when the computer boots. This may also block access to the recovery options.
The main engine can also be used to hijack data that can be spread into two main types:
- Personal Information — It can expose the identity of the victims by looking out for such strings. This information can be used for various criminal purposes including blackmail and financial abuse.
- Machine Information — The engine is capable of extracting data that can be used to construct an unique ID that is associated with each affected machine.
This information can be used to bypass installed security applications that are detected in memory and deployed on the hard drive. Further malicious actions can be done by creating or editing values found within the Windows Registry. The results of such actions may lead to severe performance issues, loss of data and various unexpected errors.
When all modules have finished running the actual encryption will be started. By using a built-in list of target file type extensions the BURAN ransomware will affect as many accessible data as possible. As a result a random extension which is based on the generated unique ID. The associate ransom extension is created in a file called YOUR FILES ARE ENCRYPTED !!!.TXT.
BURAN Ransomware could spread its infection in various ways. A payload dropper which initiates the malicious script for this ransomware is being spread around the Internet. BURAN Ransomware might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Read the tips for ransomware prevention from our forum.
BURAN Ransomware is a cryptovirus that encrypts your files and shows a window with instructions on your computer screen. The extortionists want you to pay a ransom for the alleged restoration of your files. The main engine could make entries in the Windows Registry to achieve persistence, and interfere with processes in Windows.
The BURAN Ransomware is a crypto virus programmed to encrypt user data. As soon as all modules have finished running in their prescribed order the lockscreen will launch an application frame which will prevent the users from interacting with their computers. It will display the ransomware note to the victims.
You should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that.
If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore your files back to normal.
Remove BURAN Ransomware
If your computer system got infected with the BURAN Files ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
Step 1: Scan for BURAN Ransomware with SpyHunter Anti-Malware Tool
Ransomware Automatic Removal - Video Guide
Step 2: Uninstall BURAN Ransomware and related malware from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Step 3: Clean any registries, created by BURAN Ransomware on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by BURAN Ransomware there. This can happen by following the steps underneath:
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Step 4: Boot Your PC In Safe Mode to isolate and remove BURAN Ransomware
Step 5: Try to Restore Files Encrypted by BURAN Ransomware.
Method 1: Use STOP Decrypter by Emsisoft.
Not all variants of this ransomware can be decrypted for free, but we have added the decryptor used by researchers that is often updated with the variants which become eventually decrypted. You can try and decrypt your files using the instructions below, but if they do not work, then unfortunately your variant of the ransomware virus is not decryptable.
Follow the instructions below to use the Emsisoft decrypter and decrypt your files for free. You can download the Emsisoft decryption tool linked here and then follow the steps provided below:
1 Right-click on the decrypter and click on Run as Administrator as shown below:
2. Agree with the license terms:
3. Click on "Add Folder" and then add the folders where you want files decrypted as shown underneath:
4. Click on "Decrypt" and wait for your files to be decoded.
Note: Credit for the decryptor goes to Emsisoft researchers who have made the breakthrough with this virus.
Method 2: Use data recovery software
Ransomware infections and BURAN Ransomware aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.
Simply click on the link and on the website menus on the top, choose Data Recovery - Data Recovery Wizard for Windows or Mac (depending on your OS), and then download and run the tool.
BURAN Ransomware-FAQ
What is BURAN Ransomware Ransomware?
BURAN Ransomware is a ransomware infection - the malicious software that enters your computer silently and blocks either access to the computer itself or encrypt your files.
Many ransomware viruses use sophisticated encryption algorithms to make your files inaccessible. The goal of ransomware infections is to demand that you pay a ransom payment to get access to your files back.
What Does BURAN Ransomware Ransomware Do?
Ransomware in general is a malicious software that is designed to block access to your computer or files until a ransom is paid.
Ransomware viruses can also damage your system, corrupt data and delete files, resulting in the permanent loss of important files.
How Does BURAN Ransomware Infect?
Via several ways.BURAN Ransomware Ransomware infects computers by being sent via phishing emails, containing virus attachment. This attachment is usually masked as an important document, like an invoice, bank document or even a plane ticket and it looks very convincing to users.
Another way you may become a victim of BURAN Ransomware is if you download a fake installer, crack or patch from a low reputation website or if you click on a virus link. Many users report getting a ransomware infection by downloading torrents.
How to Open .BURAN Ransomware files?
You can't without a decryptor. At this point, the .BURAN Ransomware files are encrypted. You can only open them once they are decrypted using a specific decryption key for the particular algorithm.
What to Do If a Decryptor Does Not Work?
Do not panic, and backup the files. If a decryptor did not decrypt your .BURAN Ransomware files successfully, then do not despair, because this virus is still new.
Can I Restore ".BURAN Ransomware" Files?
Yes, sometimes files can be restored. We have suggested several file recovery methods that could work if you want to restore .BURAN Ransomware files.
These methods are in no way 100% guaranteed that you will be able to get your files back. But if you have a backup, your chances of success are much greater.
How To Get Rid of BURAN Ransomware Virus?
The safest way and the most efficient one for the removal of this ransomware infection is the use a professional anti-malware program.
It will scan for and locate BURAN Ransomware ransomware and then remove it without causing any additional harm to your important .BURAN Ransomware files.
Can I Report Ransomware to Authorities?
In case your computer got infected with a ransomware infection, you can report it to the local Police departments. It can help authorities worldwide track and determine the perpetrators behind the virus that has infected your computer.
Below, we have prepared a list with government websites, where you can file a report in case you are a victim of a cybercrime:
Cyber-security authorities, responsible for handling ransomware attack reports in different regions all over the world:
Germany - Offizielles Portal der deutschen Polizei
United States - IC3 Internet Crime Complaint Centre
United Kingdom - Action Fraud Police
France - Ministère de l'Intérieur
Italy - Polizia Di Stato
Spain - Policía Nacional
Netherlands - Politie
Poland - Policja
Portugal - Polícia Judiciária
Greece - Cyber Crime Unit (Hellenic Police)
India - Mumbai Police - CyberCrime Investigation Cell
Australia - Australian High Tech Crime Center
Reports may be responded to in different timeframes, depending on your local authorities.
Can You Stop Ransomware from Encrypting Your Files?
Yes, you can prevent ransomware. The best way to do this is to ensure your computer system is updated with the latest security patches, use a reputable anti-malware program and firewall, backup your important files frequently, and avoid clicking on malicious links or downloading unknown files.
Can BURAN Ransomware Ransomware Steal Your Data?
Yes, in most cases ransomware will steal your information. It is a form of malware that steals data from a user's computer, encrypts it, and then demands a ransom in order to decrypt it.
In many cases, the malware authors or attackers will threaten to delete the data or publish it online unless the ransom is paid.
Can Ransomware Infect WiFi?
Yes, ransomware can infect WiFi networks, as malicious actors can use it to gain control of the network, steal confidential data, and lock out users. If a ransomware attack is successful, it could lead to a loss of service and/or data, and in some cases, financial losses.
Should I Pay Ransomware?
No, you should not pay ransomware extortionists. Paying them only encourages criminals and does not guarantee that the files or data will be restored. The better approach is to have a secure backup of important data and be vigilant about security in the first place.
What Happens If I Don't Pay Ransom?
If you don't pay the ransom, the hackers may still have access to your computer, data, or files and may continue to threaten to expose or delete them, or even use them to commit cybercrimes. In some cases, they may even continue to demand additional ransom payments.
Can a Ransomware Attack Be Detected?
Yes, ransomware can be detected. Anti-malware software and other advanced security tools can detect ransomware and alert the user when it is present on a machine.
It is important to stay up-to-date on the latest security measures and to keep security software updated to ensure ransomware can be detected and prevented.
Do Ransomware Criminals Get Caught?
Yes, ransomware criminals do get caught. Law enforcement agencies, such as the FBI, Interpol and others have been successful in tracking down and prosecuting ransomware criminals in the US and other countries. As ransomware threats continue to increase, so does the enforcement activity.
About the BURAN Ransomware Research
The content we publish on SensorsTechForum.com, this BURAN Ransomware how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific malware and restore your encrypted files.
How did we conduct the research on this ransomware?
Our research is based on an independent investigation. We are in contact with independent security researchers, and as such, we receive daily updates on the latest malware and ransomware definitions.
Furthermore, the research behind the BURAN Ransomware ransomware threat is backed with VirusTotal and the NoMoreRansom project.
To better understand the ransomware threat, please refer to the following articles which provide knowledgeable details.
As a site that has been dedicated to providing free removal instructions for ransomware and malware since 2014, SensorsTechForum’s recommendation is to only pay attention to trustworthy sources.
How to recognize trustworthy sources:
- Always check "About Us" web page.
- Profile of the content creator.
- Make sure that real people are behind the site and not fake names and profiles.
- Verify Facebook, LinkedIn and Twitter personal profiles.