HP Threat Research Blog Buran Ransomware Targets German Organisations through Malicious Spam Campaign

October 21, 2019 Category: Threat Research By: Alex Holland Comments: 0

Buran Ransomware Targets German Organisations through Malicious Spam Campaign

Update 11/11/2019 – Following an update to the referenced ESET article [1] on 6 November, we have amended the detection name to Win32/Filecoder.Buran.

Introduction

As of October 2019, commodity ransomware campaigns conducted by financially motivated threat actors pose a significant threat to organisations. The three distinguishing characteristics of such campaigns are: first, they are usually high volume, sent to many employees in an organisation; second, they are indiscriminate, relying on opportunistic infections to make money from ransom payments; and third, the distributed malware is designed to suit a wide range of environments and infection vectors, rather than being tailored to a specific network. Any targeting tends to focus on regions that share a common language and the popular online services used there, instead of identifying a small number of lucrative targets. In this post, we examine a malicious spam (malspam) campaign targeting German organisations in early October 2019 that delivered Buran.

Buran

Buran is a family of commodity ransomware, compiled with Borland Delphi. It was analysed by ESET researchers in April 2019, who call it Win32/Filecoder.Buran.[1] In