The well-known RIG exploit kit is currently distributing the Buran ransomware, which is a version of Vega (VegaLocker) ransomware. A security researcher known as nao_sec was the first to notice a malvertising campaign redirecting users to the RIG EK which then drops the Buran ransomware on infected systems.
The RIG exploit kit has been known to exploit various vulnerabilities in its associated malware campaigns. Currently, the malicious campaign is attempting to exploit vulnerabilities via Internet Explorer. If successful, a series of commands would download the ransomware and then execute it.
Being a new variant of VegaLocker ransomware,Buran ransomware uses a similar encryption process.
NOTE. There is still no decrypter for Buran but such may be released in the near future. To be prepared for a possible encryption, victims of the ransomware are advised to make a backup of the HKEY_CURRENT_USER\Software\Buran Registry key, their ransom note, and they encrypted files. These are needed for a possible decryption.
What Is Known about Buran Ransomware?
Let’s have a look at its encryption process. Once activated on a victim’s system, the ransomware would copy itself to %APPDATA%\microsoft\windows\ctfmon.exe and launch it from that location. According to nao_sec’s investigation, the ransomware doesn’t delete shadow volume copies nor does it disable the Windows automatic startup repair. Instead, it is set to initiate the encryption straightaway.
Buran ransomware also skips certain files according to their extensions, folders and file names. Here’s a list of the extensions it skips: .cmd, .com, .cpl, .dll, .msc, .msp, .pif, .scr, .sys, .log, .exe, .buran.
It is also important to note that the cryptovirus is designed to append the victim’s unique ID as an extension to the encrypted file.
In 2018, the RIG exploit kit was dropping a cryptocurrency miner as the final payload of a specific malicious campaign. According to Trend Micro, Rig operators added a particular vulnerability to their exploit arsenal – CVE-2018-8174, a remote code execution flaw.
The vulnerability affected systems running Windows 7 and later, and it used Internet Explorer and Microsoft Office documents using the vulnerable script engine. Curiously, the current campaign of RIG is also leveraging Internet Explorer for its vulnerability arsenal.