Bucbi
NJCCIC Threat Profile
Original Release Date: 2016-07-06
Bucbi, a ransomware family that was first released in 2014, has recently been seen in circulation again. It targets Windows OS and, although it was previously distributed via exploit kits or phishing emails, Bucbi is now being delivered via brute-force attack on Remote Desktop Protocol (RDP) accounts located on Internet-connected remote desktop servers running Windows. Once the target server is compromised, the ransomware executable file is dropped and launched. It then encrypts all files on the local drives, with the exception of those located in C:\WINDOWS, C:\Windows, C:\Program Files, and C:\Program Files (x86). Bucbi does not change or append the file extensions of encrypted files and, instead, uses the GOST block cipher – a Russian government standard symmetric key block cipher – to generate unique file names. Bucbi demands a ransom payment of 5 Bitcoin.
- Palo Alto Networks provides more information about Bucbi here.
- The NJCCIC is not aware of any decryption tools available for Bucbi.
Featured Content
- Sextortion & Romance Scams Continue with New Tactics>
- Increase in Reports of Gift Card Scams>
- Phishing-as-a-Service Operation Identified>
- Vaccination Lures in Recent Phishing Campaigns>
- Cryptocurrency Scams Increase>
- FortiGate SSL-VPN Credentials Leaked by Threat Actors>
- Microsoft Patches Several Actively Exploited Flaws>
- Updates Available for Actively Exploited Flaws in Apple Devices>
- Back-to-School Cybersecurity>
- Test Your Cybersecurity Knowledge - Take Our Cyber Quiz Today>
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.