Buran Ransomware; the Evolution of VegaLocker
McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all the affiliates will have a personal arrangement with them.
For this analysis we present, we will focus on one of the Buran hashes:
We will highlight the most important observations when researching the malware and will share protection rules for the endpoint, IOCs and a YARA rule to detect this malware.
Buran Ransomware Advertisement
This ransomware was announced in a well-known Russian forum with the following message:
|Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7.
Reliable cryptographic algorithm using global and session keys + random file keys;
The completion of some processes to free open files (optional, negotiated);
They are negotiated individually for each advert depending on volumes and material.
Start earning with us!
The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment. Note: The CIS segment belongs to ten former Soviet Republics: Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
Rig Exploit Kit as an Entry Vector
Based upon the investigation we performed, as well as research by “nao_sec” highlighted in June 2019, we discovered how Buran ransomware was delivered through the Rig Exploit Kit. It is important to note how the Rig Exploit Kit is the preferred EK used to deliver the latest ransomware campaigns.
FIGURE 1. EXPLOIT KIT
The Rig Exploit Kit was using CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine, Arbitrary Code Execution) to exploit in the client-side. After successful exploitation this vulnerability will deliver Buran ransomware in the system.
The main packer and the malware were written in Delphi to make analysis of the sample more complicated. The malware sample is a 32-bit binary.
FIGURE 2. BURAN STATIC INFORMATION
In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.
FIGURE 3. BURAN STATIC INFORMATION
The goal of the packer is to decrypt the malware making a RunPE technique to run it from memory. To obtain a cleaner version of the sample we proceed to dump the malware from the memory, obtaining an unpacked version.
Checking locales has become quite popular in RaaS ransomware as authors want to ensure they do not encrypt data in certain countries. Normally we would expect to see more former CIS countries but, in this case, only three are verified.
FIGURE 4. GETTING THE COUNTRY OF THE VICTIM SYSTEM
This function gets the system country and compares it with 3 possible results:
- 0x7 -> RUSSIAN FEDERATION
- 0x177 -> BELARUS
- 0x17C -> UKRAINE
It is important to note here that the advertising of the malware in the forums said it does not affect CIS countries but, with there being 10 nations in the region, that is obviously not entirely accurate.
If the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish with an “ExitProcess”.
The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution; the check will be done extracting the date of the file.
FIGURE 5. BURAN CHECKS IN THE TEMP FOLDER
If the file exists after the check performed by the malware, the temporary file will be erased through the API “DeleteFileW”.
FIGURE 6. CHECK WHETHER A TEMP FILE CAN BE CREATED
This function can be used as a kill switch to avoid infection by Buran.
Buran ransomware could accept special arguments in execution. If it is executed without any special argument, it will create a copy of Buran with the name “ctfmon.exe” in the Microsoft APPDATA folder and will launch it using ShellExecute, with the verb as “runas”. This verb is not in the official Microsoft SDK but, if we follow the MSDN documentation to learn how it works, we can deduce that the program will ignore its own manifest and prompt the UAC to the user if the protection is enabled.
This behavior could change depending on the compilation options chosen by the authors and delivered to the affiliates.
According to the documentation, the function “CreateProcess” checks the manifest, however in Buran, this is avoided due to that function:
FIGURE 7. LAUNCH OF THE NEW INSTANCE OF ITSELF
Buran in execution will create a registry key in the Run subkey section pointing to the new instance of the ransomware with a suffix of ‘*’. The meaning of this value is that Buran will run in safe mode too:
FIGURE 8. PERSISTENCE IN THE RUN SUBKEY IN THE REGISTRY
The writing operation in the registry is done using the “reg” utility, using a one-liner and concatenating different options with the “&” symbol. This method through “reg.exe” avoids a breakpoint in the main binary.
FIGURE 9. WRITE OF PERSISTENCE IN THE REGISTRY
Buran implements this technique with the objective of making analysis of the sample complicated for malware analysts looking at reverse engineering profiles. After these operations, the old instance of the ransomware will die using “Exit Process”.
Analysis of the Delphi code show that the 2nd version of Buran will identify the victim using random values.
FIGURE 10. GENERATE RANDOM VALUES
After that it will decrypt a registry subkey called “Software\Buran\Knock” in the HKEY_CURRENT_USER hive. For the mentioned key it will check the actual data of it and, if the key does not exist, it will add the value 0x29A (666) to it. Interestingly, we discovered that GandCrab used the same value to generate the ransom id of the victim. If the value and subkey exists the malware will continue in the normal flow; if not, it will decrypt a URL ,“iplogger.ru”, and make a connection to this domain using a special user agent:
FIGURE 11. SPECIAL USER AGENT BURAN
As mentioned, the referrer will be the victim identifier infected with Buran.
The result of this operation is the writing of the subkey previously checked with the value 0x29A, to avoid repeating the same operation.
After this action the malware will enumerate all network shares with the functions :
This call is made in a recursive way, to get and save all discovered shared networks in a list. This process is necessary if Buran wants to encrypt all the network shares as an addition to the logical drives. Buran will avoid enumerating optical drives and other non-mounted volumes. The result of those operations will be saved for Buran to use later in the encryption process.
The ransom note is crypted inside the binary and will be dumped in execution to the victim’s machine. Inside this ransom note, the user will find their victim identifier extracted with the random Delphi function mentioned earlier. This identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.
In the analysis of Buran, we found how this ransomware blacklists certain files and folders. This is usually a mechanism to ensure that the ransomware does not break its functionality or performance.
Blacklisted folders in Buran:
Blacklisted files in Buran:
The encryption process will start with special folders in the system like the Desktop folder. Buran can use threads to encrypt files and during the process will encrypt the drive letters and folders grabbed before in the recognition process.
The ransom note will be written to disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!” with the following content:
FIGURE 12. AN EXAMPLE RANSOM NOTE
Each file crypted is renamed to the same name as before but with the new extension of the random values too.
For example: “rsa.bin.4C516831-800A-6ED2-260F-2EAEDC4A8C45”.
All the files encrypted by Buran will contain a specific filemarker:
FIGURE 13. CRYPTED FILE
In terms of encryption performance, we found Buran slower compared to other RaaS families. According to the authors’ advertisement in the underground forums, they are continually improving their piece of ransomware.
Buran Version 1 vs Buran Version 2
In our research we identified two different versions of Buran. The main differences between them are:
Shadow copies delete process:
In the 2nd version of Buran one of the main things added is the deletion of the shadow copies using WMI.
Backup catalog deletion:
Another feature added in the new version is the backup catalog deletion. It is possible to use the Catalog Recovery Wizard to recover a local backup catalog.
System state backup deletion:
In the same line of system destruction, we observed how Buran deletes in execution the system state backup in the system:
Ping used as a sleep method:
As a poor anti-evasion technique, Buran will use ping through a ‘for loop’ in order to ensure the file deletion system.
The ransom note changed between versions:
VegaLocker, Jumper and Now Buran Ransomware
Despite the file marker used, based on the behavior, TTPs and artifacts in the system we could identify that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin for this malware family.
Malware authors evolve their malware code to improve it and make it more professional. Trying to be stealthy to confuse security researchers and AV companies could be one reason for changing its name between revisions.
This is the timeline of this malware family:
Similarities in Behavior:
Files stored in the temp folder:
In one of the variants (Jumper) it is possible to spot some samples using both extensions:
Shadow copies, backup catalog and systembackup:
In the analyzed samples we saw how VegaLocker used the same methods to delete the shadow copies, backup catalog and the systembackup.
Indicators of Compromise
The sample uses the following MITRE ATT&CK techniques:
- Disabling Security Tools
- Email Collection
- File and Directory Discovery
- File Deletion
- Kernel Modules and Extensions
- Modify Registry
- Network Service Scanning
- Peripheral Device Discovery
- Process Injection
- Query Registry
- Registry Run Keys / Start Folder
- Remote Desktop Protocol
- Remote System Discovery
- Service Execution
- System Time Discovery
- Windows Management Instrumentation
We created a YARA rule to detect Buran ransomware samples and the rule is available in our GitHub repository
Buran represents an evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions. We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them. We are observing an increase in ransomware families in 2019, as well as old players in the market releasing new versions based on their own creations.
For the binaries, all of them appeared with a custom packer and already came with interesting features to avoid detection or to ensure the user must pay due to the difficulty of retrieving the files. It mimics some features from the big players and we expect the inclusion of more features in future developments.
Buran is slower than other ransomware families we observed, and samples are coded in Delphi which makes reverse engineering difficult.