New Ransomware-as-a-Service Offered at Deep Discount: ReportMcAfee: Creators of 'Buran' Ask for Smaller Percentage of Ransoms Collected
A new ransomware-as-a-service model dubbed "Buran" that targets vulnerabilities in certain devices running Windows is offered at a deep discount to help the malware spread faster, according to McAfee researchers.
See Also: 2020 Global Threat Report
Buran, which has been active since at least May, has evolved from an older strain of ransomware called VegaLocker, according to a new report from McAfee researchers Alexandre Mundo and Marc Rivero Lopez.
The unidentified gang behind Buran has been spreading their ransomware-as-a-service model through Russian criminal forums, offering such features as offline crypto-locking capabilities, flexible functionality and 24/7 customer support, the researchers note.
The biggest differentiator for Buran, however, is the price, the researchers says.
While Buran's file encryption function operates in a similar manner to other ransomware, such as REVil and GandCrab, the MacAfee researchers note that the creators of Buran only demand a 25 percent share of ransoms collected. This is a significant discount from the typical 30 percent to 40 percent demanded by other malware developers, the researchers note.
Those behind Buran "are willing to negotiate that rate with anyone who can guarantee an impressive level of infection," the McAfee researchers note. "They announced in their ads that all the affiliates will have a personal arrangement with them."
Although the McAfee researchers don't identify who's likely behind Buran, another report by the security firm Bormium notes that their research points to a user going by the handle "buransupport," who has been active in online criminal forums since at least Sept. 4.
Exploiting Known Vulnerability
According to the McAfee researchers, the Buran ransomware infects a vulnerable system by exploiting a vulnerability known as CVE-2018-8174, a remote code execution flaw in Windows.
While the Buran authors claim that their ransomware works with all versions of Windows, the samples that the McAfee researchers examined were incompatible with certain older versions of the operation system, such as XP.
The McAfee researchers uncovered two versions of the malware, both of which were written in the Delphi programming language. This helps the malware bypass security filters by preventing reverse engineering attempts through anti-virus software, the researchers say.
If the malware detects a device that is located in the Russian Federation, Belarus or Ukraine, it automatically stops the attack, the researchers determined.
When using Buran, attackers dump the ransom note in the victim's machine. The ransomware removes certain identifier files from the ransom note, which helps the malware developers to track infected users in order to deliver the decryptor key once the payment is made, according to the researchers.
Buran's encryption process is slower than other ransomware-as-service offerings, the researchers report. They note, however, that developers have claimed in underground forums that they are working to improve its features.
"We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them," the researchers note.
RaaS on a Rise
Ransomware-as-a-service has become more widely used in recent years as cybercriminals look for new and less expensive ways to target victims. The posterchild for this was GandCrab, which helped popularize the service model, researchers say.
After the creators of GandCrab retired the malware in May, REvil, also known as Sodinokibi, became prominent (see: Ransomware: As GandCrab Retires, Sodinokibi Rises)
In an earlier report, McAfee researchers found that, on average, Sodinokibi generates about 0.45 bitcoin - about $4,000 - when victims pay up (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing)
McAfee says it's counted at least 41 active Sodinokibi affiliates, with each keeping 60 percent of every ransom payment.