In September 2019, Kroll reported on Buran ransomware-as-a-service (RaaS) being offered on the top-tier Russian Forum, Exploit. Buran is one of the numerous ransomware variants operating as a RaaS program; in Buran’s case, affiliate distributors give 25% of their ransom profits to “buransupport” to obtain a decryption key. In November 2019, the actors behind the “buransupport” moniker began to advertise a second ransomware variant, Zeppelin, which has been observed to have data exfiltration capabilities. Kroll assesses that this new feature may have been prompted by the tactics of other ransomware threat actor groups, who are actively publicizing data stolen from victims who have refused to pay ransom demands.
Since Buran’s launch, Kroll analysts have observed multiple updates to the ransomware being advertised on dark web forums. In addition to being spread via RIG exploit kits and malspam campaigns, Kroll incident responders have also observed Buran being spread via misconfigured Remote Desktop Protocol (RDP).
Buran is advertised as a fully offline crypto-locker written in Delphi code that claims to work on every Windows operating system, starting with Windows XP/Windows Server 2003. (See Figure 1 for a representative dark web listing.) Based on tactics, techniques and procedures (TTPs), Buran is considered to be a variant of VegaLocker ransomware.