The well-known RIG exploit kit is currently distributing the Buran ransomware, which is a version of Vega (VegaLocker) ransomware. A security researcher known as nao_sec was the first to notice a malvertising campaign redirecting users to the RIG EK which then drops the Buran ransomware on infected systems.
The RIG exploit kit has been known to exploit various vulnerabilities in its associated malware campaigns. Currently, the malicious campaign is attempting to exploit vulnerabilities via Internet Explorer. If successful, a series of commands would download the ransomware and then execute it.
Being a new variant of VegaLocker ransomware, [wplinkpreview url=”https://sensorstechforum.com/buran-ransomware-remove/”] Buran ransomware uses a similar encryption process.
NOTE. There is still no decrypter for Buran but such may be released in the near future. To be prepared for a possible encryption, victims of the ransomware are advised to make a backup of the HKEY_CURRENT_USER\Software\Buran Registry key, their ransom note, and they encrypted files. These are needed for a possible decryption.
What Is Known about Buran Ransomware?
Let’s have a look at its encryption process. Once activated on a victim’s system, the ransomware would copy itself to %APPDATA%\microsoft\windows\ctfmon.exe and launch it from that location. According to nao_sec’s investigation, the ransomware doesn’t delete shadow volume copies nor does it disable the Windows automatic startup repair. Instead, it is set to initiate the encryption straightaway.
Buran ransomware also skips certain files according to their extensions, folders and file names. Here’s a list of the extensions it skips: .cmd, .com, .cpl, .dll, .msc, .msp, .pif, .scr, .sys, .log, .exe, .buran.
It is also important to note that the cryptovirus is designed to append the victim’s unique ID as an extension to the encrypted file.
In 2018, the RIG exploit kit was dropping a cryptocurrency miner as the final payload of a specific malicious campaign. According to Trend Micro, Rig operators added a particular vulnerability to their exploit arsenal – CVE-2018-8174, a remote code execution flaw.
The vulnerability affected systems running Windows 7 and later, and it used Internet Explorer and Microsoft Office documents using the vulnerable script engine. Curiously, the current campaign of RIG is also leveraging Internet Explorer for its vulnerability arsenal.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: