Buran/Zeppelin

Buran ransomware, also known as Vega, VegaLocker, and Jamper, was first observed in May 2019 by McAfee researchers in a Russian-speaking forum and offered as ransomware-as-a-service (RaaS). Buran will not infect any country within the Soviet Republic’s Commonwealth of Independent States (CIS) segment: Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. The developers behind Buran RaaS attempts to establish personal relationships with criminal customers, providing 24/7 customer support and a discounted rate of 25 percent of profits earned, boasting that it can successfully run on all versions of the Microsoft Windows operating system (OS). McAfee researchers found that older OSs may be immune, such as XP. All versions of the malware are written in Delphi and are almost exclusively dropped with RIG exploit kit via exploitation of an RCE vulnerability, CVE-2018-8174. Despite the various file markers used, VegaLocker, Jamper, and Buran all exhibit the same behavior, TTPs, and artifacts within the system.

Technical Details and Reporting

• McAfee provides further technical details here.
• ZDNet provides additional reporting here.

UPDATE 12/11/2019: A new variant identified as Zeppelin is targeting US and European companies and shares the same behavior, TTPs, and artifacts within the system.

UPDATE 12/18/2019: While providing incident response to a victim, a researcher from Morphisec discovered that Zeppelin also steals the victim’s data prior to encryption, a similar technique used by Sodinokibi/REvil and Maze ransomware. At the time of this writing, no attempts to publicly expose stolen data have been made.