LTS Secure Warning: Buran Ransomware Being Delivered to German Organizations Via Malspam Campaigns

Security researchers have identified a new malspam campaign targeting German organizations, delivering the Buran Ransomware. The email is crafted to appear to be coming from online fax service eFax.  

Technical Details

Upon opening the email, the user is presented with a hyperlink, which upon clicking, directs the user to a PHP page hosting the malicious word document. The document then contains a Visual Basic for Applications (VBA) macro, when enabled, downloads the malicious executable.

Upon activation, the ransomware performs the following activity:-

• Send a HTTP GET request to hxxp://geoiptool[.]com, in order to determine the location of the victim machine.
• Copies itself to another directory & renames itself to “Isass.exe”, in order to evade being detected by security solutions in place.
• It then utilizes command shell to establish persistence.
• Further, it modifies windows registry’s run key, so that “Isass.exe” is executed every time someone logs into the machine.
• It then disables services like windows event log and windows error recovery & automatic repair.
• Finally it deletes any backups made by Volume shadow copy service (VSS).
• Upon completion of the encryption process, a ransom note is displayed, containing the instructions that need to be followed by the victim, in order to decrypt his files.

Impact

• Downtime in Business Critical operations.
• Permanent loss of Sensitive/Confidential data.
• Operational and financial loss to the Business/Individual.

Recommended Actions

• Take system back-ups on regular intervals.
• Avoid Opening emails & attachments from unknown senders.
• Ensure that your devices are always up-to-date with the latest patches released.
• Regularly update your antivirus software & perform malware scans to protect against unknown threats.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.