BURAN Ransomware — How to Remove It

BURAN Ransomware — How to Remove It

BURAN Ransomware virus remove

The BURAN ransomware is a dangerous new virus release which at the moment has not been analyzed in detail. A security researcher has reported that it is being distributed using common tactics. This can include the sending of phishing emails that impersonate well-known companies or services. The other approach is to craft malicious web pages that appear as legitimate and useful sites. They can carry dangerous files that can lead to an infection.

Such include the creation of malicious documents which can include all popular formats: presentations, text documents, spreadsheets and databases. The other carrier that is popular with hackers is the creation of application installers of software that is often downloaded and used by end users. They can alternatively be found via various file-sharing networks like BitTorrent. The BURAN ransomware can also infect victims via browser hijackers which are dangerous extensions made for the most popular applications. They are widely uploaded to the relevant repositories using fake user reviews and developer credentials.

In one of its most recent campaigns the BURAN ransomware is being distributed by the RIG Exploit KIT. This means that infections with it are to become much more common than other ransomware which are being distributed using other methods. In its latest iterations it intrudes onto other computers by exploiting weaknesses in Internet Explorer or other common web browsers. One of the popular vulnerabilities which are triggered in infections is being monitored in the CVE-2018-8174 advisory. This is a remote code execution exploit (RCE) which is found in the VBScript engine. It is during the runtime of many applications, including system ones, as well as document scripts (macros).

Threat Summary

NameBURAN Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them.
SymptomsThe ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by BURAN Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BURAN Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BURAN Ransomware — November 2019 New Ransom Note

A new release of the Buran ransomware has been discovered, this time assigning the .BB4-230-xxxx extension to the victim data. It is very likely that a new hacker collective has taken the original code and modified it to create this new version. Another possible source is an order on the underground market where customization options are readily available.

We presume that the criminals are going to implement the already known modules which may include system changes and the setup of the threat in a way which will make it very difficult to remove.

Like the previous versions the .BB4-230-xxxx Buran ransomware will encrypt user data in a similar way and append the necessary extension. To coerce the victims into paying the hackers a decryption fee a ransom note file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT.

BURAN Ransomware — November 2019 Update

In November 2019 a SPAM attack camapign has been found to target end users with the intention of carrying the Buran ransomware. The exact mechanism is the sending of IQY files in phishing email messages. They are designed to impersonate service documents or even personal messages that may be regarded as important and/or authentic. Some of the examples include the following:

  • User Messages — Short setence messages that may appear to be from a friend or acquintance can be sent to the recipients.
  • App Installers/Updates — The email messages may impersonate product notifications of popular applications. This is done by sending out emails that warn that the users need to install a new version of the product. The executable file will be linked or directly attached in the message.
  • Common Scams — The criminals behind the Buran ransomware can use different social engineering techniques to manipulate the victims into downloading and running the virus files.

In this particular campaign the files that lead to the infection are IQY which are opened by Microsoft Excel. They are Web Querty attachments which will start commands leading to the virus installation.
Many of the messages will include a short message reading the following:

Print document in attach

The email is designed to appear as a forwarded message from an acquaintance. As soon as the attached file is opened Microsoft Excel will be opened. The file format is not a standard worksheet as it contains macros and PowerShell commands. The victim users will be shown a prompt asking them to enable the operations. This will trigger the virus infection by retrieving the ransomware from a remote hacker-controlled server. In the current campaign the file bears the name 1.exe.

The Buran ransomware will start with its associated behavior pattern by running the intended components. The encryption engine will process and rename the victim files. A ransom note will be created in a file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT.

BURAN Ransomware — Massive Germany Malicious SPAM Campaign

A new security report reads that there is an ongoing phishing campaign that sends out SPAM messages in bulk attempting to infect the recipients. It is very possible that the criminals behind the ongoing attack are using an automated toolkit or a network of servers in order to reach the necessary volume of attacks. According to the available security reports the active campaign has probably started in September and amassed a larger size this month.

The current version of the Buran ransomware has an extensive list of active modules and features. This makes it an even more dangerous threat as they will be run when the infections have completed. Once again the RIG Exploit Kit by further configuring the messages by loaction. The hackers will impersonate the eFax brand which is one of the most popular online fax services.

The email messages will be translated to the languages of the respective recipients — the ready-made templates will be translated by the hackers or by using any ready-made software. The posted links in the emails will lead to hacker-controlled sites that contain dynamic PHP scripts with Microsoft Word documents. New domains have been generated which is important in order to bypass most of the firewalls and intrusion detection systems which may not update their blacklists in time.

Some of the available modules that will be launched include the following:

  • Persistent Installation — The malware engine can be installed in a way which will make it very hard to detect and remove the active infections. It can rename itself as a legitimate service, install itself as a system service and disable access to the recovery boot options.
  • System Reconfiguration — The Buran ransomware will disable operating system services and user-installed applications including Windows Error Recovery and Automatic Startup Repair.
  • Files Removal — The main engine will locate and remove sensitive data including Shadow Volume Copies.
  • Security Systems Bypass — The malware engine will locate and delete any anti-virus or virtual machine hosts that are installed on the compromised machines. This is done in order to protect the Buran ransomware from discovery and this may also work with all associated files: event logs, configuration files and preferences.
  • Windows Registry Values — The main Buran virus engine can be used to edit out existing strings that are found in the Windows Registry. This can include the creation of new ones that exist in the system, as well as editing of the ones that are used by the operating system and any other installed applications. The consequences of this action will include performance issues, data loss and unexpected errors.
  • Information Retrieval — The latest versions of the Buran ransomware also has the capability of retrieving important information about the system and the stored data by installed applications. This can include log files, stored cookies and bookmarks from web browsers and saved projects from productivity and office programs.

Custom markers and identity information can be applied to every individual hosts. Other components can also be run depending on local conditions.

BURAN Ransomware — Update October 2019

A new Buran ransomware has been detected as of the beginning of October 2019. The differences lies in the new ransomware messages which are placed in files called ALL YOUR FILES ARE ENCRYPTED !!!.TXT and bear a new hacker contact email. These virus samples have also been found to include a wide variety of complex modules that include rich functionality. As soon as the virus is deployed onto the given host it will create a process for itself and impersonate system functionality. By doing so it can also disable access to the recovery boot options which will prevent the users from entering into the recovery modes.

The BURAN ransomware will hide from the system by modifying the system certificates and impersonating system processes. This is done by suppressing the errors and failures during the boot-up process. In addition the main engine can hookup to numerous processes — both system and user applications. This means that processes can also be faked by the virus. These steps are done in order to make the initial intrusion to the target computers.

As soon as this is done an information harvesting module will be started. It is configured to extract a variety of data including the following:

  • Kernel Debugger Information
  • Internet Explorer Security Settings
  • System Data
  • Active Computer Name
  • Cryptographic Machine ID
  • External IP Address

The contaminated hosts will be checked if they are live by constantly pinging them from the hacker-controlled servers and other hacked hosts. To make the virus infection more dangerous the main engine can delete certain types of files: system volume copies, backups, restore points and valuable user data. This means that victims of the BURAN ransomware will need to use a professional-grade data recovery software along with the anti-spyware utility to recover their files.

The BURAN ransomware can also harvest any stored credentials in memory or in the configuration files ,specifically looking for remote desktop keys. They are used when the usesr have set up the Remote Desktop feature. When this is enabled these keys will be placed in the system. When the service is enabled and the hackers have access to them they will be able to login to the computers using the operating system. This allows them to control the system through this thereby removing the need to deploy a dedicated Trojan.

Changes will also be made to the Windows Registry which includes the creation of new ones that are attributed to the virus and the modification of already existing ones. This can lead to various dangerous effects such as data loss, performance issues and the inability to start certain functions.

From there on the usual ransomware process will continue.

BURAN Ransomware — Update September 2019

A new wave of attacks carrying the Buran ransomware have been spotted in a recent attack campaign. The security analysis reveals that the method of distribution which is chosen by the hackers is a massive phishing email-based spam attack. The criminals have designed the messages to bear the logo and design of a legitimate service — eFax. The emails that are sent to the victims are designed as delivery notifications and the users are urged into opening up the attached documents. They are usually text documents that are designed to appear as safe and legitimate. As soon as they are opened a prompt will appear asking the victims to enable the built-in scripts. If this is done the virus infection will follow.

Once the infection is launched a series of actions will be started. They are executed according to the built-in instructions or the specific hacker code. One of the captured samples has been found to execute the following pattern:

  • Windows Registry Changes — The main engine can be used to commit changes to the Windows Registry. This can result in the inability to run certain functions, data loss and unexpected errors. If changes to existing strings are made then the users may not be able to run programs in their prescribed manner.
  • Boot Options Changes — The Buran ransomware can edit the boot options which can install the virus as a persistent threat. This means that the virus will be automatically started and the victims will have no way of accessing the recovery options.
  • Sensitive Data Removal — The captured samples have been found to locate and delete sensitive user files such as backups, shadow volue copies and archives.
  • Network Propagation — The Buran ransomware can ping other hosts located on the same network or the Internet. This is particularly useful when a Trojan client is carried alongside the ransomware. It can choose an online hacker-controlled server that can be reached. Through it the criminals can take over control of the associated hosts, steal their data and lead to other infections.
  • Application Hookup and Proces Manipulation — They can be used to kill running apps and control what they are doing.

UPDATE JUNE 6, 2019. It’s now known that Buran ransomware is

currently being dropped by RIG exploit kit. A security researcher known as nao_sec was the first to notice a malvertising campaign redirecting users to the RIG EK which then drops the Buran ransomware on infected systems. There is still no decrypter for Buran but such may be released in the near future. To be prepared for a possible encryption, victims of the ransomware are advised to make a backup of the HKEY_CURRENT_USER\Software\Buran Registry key, their ransom note, and they encrypted files. These are needed for a possible decryption.

BURAN Ransomware – What Does It Do?

As soon as the virus is deployed onto a given host the main engine will start the relevant components. The sequence and exact commands can be determined by certain local conditions or by the hackers in general via the attack parameters. The initial deployment can include boot changes that will manipulate the system into starting the BURAN ransomware when the computer boots. This may also block access to the recovery options.

The main engine can also be used to hijack data that can be spread into two main types:

  • Personal Information — It can expose the identity of the victims by looking out for such strings. This information can be used for various criminal purposes including blackmail and financial abuse.
  • Machine Information — The engine is capable of extracting data that can be used to construct an unique ID that is associated with each affected machine.

This information can be used to bypass installed security applications that are detected in memory and deployed on the hard drive. Further malicious actions can be done by creating or editing values found within the Windows Registry. The results of such actions may lead to severe performance issues, loss of data and various unexpected errors.

When all modules have finished running the actual encryption will be started. By using a built-in list of target file type extensions the BURAN ransomware will affect as many accessible data as possible. As a result a random extension which is based on the generated unique ID. The associate ransom extension is created in a file called YOUR FILES ARE ENCRYPTED !!!.TXT.

BURAN Ransomware could spread its infection in various ways. A payload dropper which initiates the malicious script for this ransomware is being spread around the Internet. BURAN Ransomware might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Read the tips for ransomware prevention from our forum.

BURAN Ransomware is a cryptovirus that encrypts your files and shows a window with instructions on your computer screen. The extortionists want you to pay a ransom for the alleged restoration of your files. The main engine could make entries in the Windows Registry to achieve persistence, and interfere with processes in Windows.

The BURAN Ransomware is a crypto virus programmed to encrypt user data. As soon as all modules have finished running in their prescribed order the lockscreen will launch an application frame which will prevent the users from interacting with their computers. It will display the ransomware note to the victims.

You should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that.

If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore your files back to normal.

Remove BURAN Ransomware

If your computer system got infected with the BURAN Files ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share