New Buran ransomware-as-a-service tempts criminals with discount licenses

A new RaaS offering is attempting to undercut competitors to become established in the lucrative criminal space.
Written by Charlie Osborne, Contributing Writer

The VegaLocker malware strain has provided the base for new ransomware-as-a-service (RaaS) Buran which is taking on competitors through discounted rates.

According to McAfee researchers Alexandre Mundo and Marc Rivero Lopez, Buran was first detected in May 2019 and has now joined the ranks of other RaaS offerings including REVil and Phobos. 

First announced on a Russian forum, Buran operators appear to be focusing on establishing personal relationships with criminal customers. 

In total, 25 percent of illicit earnings made through successful infections are taken by the authors -- a substantial discount on the 30 to 40 percent usually required by RaaS operators. 

See also: Ransomware: Prepare for hackers launching even more destructive malware attacks

The rate, too, can be negotiated "with anyone who can guarantee an impressive level of infection with Buran," the researchers say. 

Buran is described in the advert as a stable strain of malware that uses an offline cryptoclocker, 24/7 support, global and session keys, and no third-party dependencies such as libraries. 

The malware is also able to scan local drives and network paths and contains optional features including the encryption of files without changing extensions; removing recovery points and clearing logs; backup catalog deletion, and the means to self-delete. 

Buran operators claim the ransomware is compatible with all versions of the Microsoft Windows operating system, but McAfee found during its investigation that some older versions, including Windows XP, are immune. 

CNET: Alexa, delete what I just said! Here's how to keep Amazon from listening in

The Rig exploit kit is the preferred delivery method for the new ransomware family and a Microsoft Internet Explorer VBScript Engine RCE vulnerability CVE-2018-8174 is used to exploit machines for deployment. 

Two versions of Buran, written in Delphi, have been found so far -- the second of which contains improvements on the original. The malware will check to see if the victim machine is registered in Russia, Belarus or Ukraine, and if these checks come back positive, Buran will exit. 

After making sure the malware is able to create files and store them in temporary folders, Buran will create registry keys to maintain persistence, assign the victim an ID, encrypt files, and post a ransom note. 


Buran originates from VegaLocker and Jumper and is believed to be the next stage in evolution due to similar behaviors, artifacts, and Tactics, techniques and procedures (TTPs) found within its code. These include registry changes, the types of files stored in temporary folders, extension overlapping, and the creation of shadow copies.

TechRepublic: VMware rolls out new Carbon Black security suite and Dell partnership

"Malware authors evolve their malware code to improve it and make it more professional," McAfee says. "Trying to be stealthy to confuse security researchers and AV companies could be one reason for changing its name between revisions."

Last week, ASP.NET hosting provider SmarterASP.NET was struck down with a ransomware infection. Customer servers were encrypted and rendered inaccessible, and the host's own website was also impacted. 

Forrester Research estimates that ransomware attacks against the enterprise have increased by 500 percent year-over-year. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards