One example of the Bucbi variant.

Image Source: Palo Alto Networks

Bucbi, a ransomware family that was first released in 2014, has recently been seen in circulation again. It targets Windows OS and, although it was previously distributed via exploit kits or phishing emails, Bucbi is now being delivered via brute-force attack on Remote Desktop Protocol (RDP) accounts located on Internet-connected remote desktop servers running Windows. Once the target server is compromised, the ransomware executable file is dropped and launched. It then encrypts all files on the local drives, with the exception of those located in C:\WINDOWS, C:\Windows, C:\Program Files, and C:\Program Files (x86). Bucbi does not change or append the file extensions of encrypted files and, instead, uses the GOST block cipher – a Russian government standard symmetric key block cipher – to generate unique file names. Bucbi demands a ransom payment of 5 Bitcoin.

  • Palo Alto Networks provides more information about Bucbi here.
  • The NJCCIC is not aware of any decryption tools available for Bucbi.