Beware: RIG Exploit Kit Currently Dropping Buran Ransomware
NEWS

Beware: RIG Exploit Kit Currently Dropping Buran Ransomware

The well-known RIG exploit kit is currently distributing the Buran ransomware, which is a version of Vega (VegaLocker) ransomware. A security researcher known as nao_sec was the first to notice a malvertising campaign redirecting users to the RIG EK which then drops the Buran ransomware on infected systems.




The RIG exploit kit has been known to exploit various vulnerabilities in its associated malware campaigns. Currently, the malicious campaign is attempting to exploit vulnerabilities via Internet Explorer. If successful, a series of commands would download the ransomware and then execute it.

Being a new variant of VegaLocker ransomware,

Buran ransomware uses a similar encryption process.

NOTE. There is still no decrypter for Buran but such may be released in the near future. To be prepared for a possible encryption, victims of the ransomware are advised to make a backup of the HKEY_CURRENT_USER\Software\Buran Registry key, their ransom note, and they encrypted files. These are needed for a possible decryption.

What Is Known about Buran Ransomware?

Let’s have a look at its encryption process. Once activated on a victim’s system, the ransomware would copy itself to %APPDATA%\microsoft\windows\ctfmon.exe and launch it from that location. According to nao_sec’s investigation, the ransomware doesn’t delete shadow volume copies nor does it disable the Windows automatic startup repair. Instead, it is set to initiate the encryption straightaway.

Buran ransomware also skips certain files according to their extensions, folders and file names. Here’s a list of the extensions it skips: .cmd, .com, .cpl, .dll, .msc, .msp, .pif, .scr, .sys, .log, .exe, .buran.

It is also important to note that the cryptovirus is designed to append the victim’s unique ID as an extension to the encrypted file.

Related:
Rig operators have now added a particular vulnerability to their exploit arsenal - the CVE-2018-8174 remote code execution vulnerability.
CVE-2018-8174 Vulnerability Used by Rig Exploit Kit.

In 2018, the RIG exploit kit was dropping a cryptocurrency miner as the final payload of a specific malicious campaign. According to Trend Micro, Rig operators added a particular vulnerability to their exploit arsenal – CVE-2018-8174, a remote code execution flaw.

The vulnerability affected systems running Windows 7 and later, and it used Internet Explorer and Microsoft Office documents using the vulnerable script engine. Curiously, the current campaign of RIG is also leveraging Internet Explorer for its vulnerability arsenal.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...