Researchers spotted a malspam campaign that targeted German organizations with samples of the Buran crypto-ransomware family.
In early October, Bromium observed a malspam campaign whose emails impersonated online fax service eFax. The emails contained hyperlinks to a PHP page that served up malicious Word documents. This technique helped the Word documents evade detection, as they didn’t need to pass under the watchful gaze of email gateway security solutions.
Each of those documents contained a VBA macro that, when enabled, downloaded a Buran executable.
Once activated, the ransomware sent a HTTP GET request to hxxp://geoiptool[.]com in order to geo-locate the victim’s system. It then copied itself to another directory and renamed the executable as “lsass.exe” in an attempt to evade detection.
After using command shell commands to establish persistence and delete backups, the threat modified the Windows Registry’s Run key to allow “lsass.exe” to run every time someone logged into the infected system. Next, it disabled Windows Error Recovery and Automatic Startup Repair as well as deleted backups made through the Volume Shadow Copy Service (VSS). These measures, along with some additional steps such as disabling the Windows Event Log service, laid the groundwork for the ransomware to initiate its encryption process.
The Buran samples observed in this campaign encrypted an infected system’s data by file type. Once finished, the ransomware displayed a ransom note. This message instructed victims to contact an email address and provide their ID number so that they could receive payment instructions.
This latest malspam campaign highlights the ongoing threat that ransomware poses to organizations. In response, organizations should consider investing in security awareness training that educates their employees about some of the most common phishing attacks. They should use this training program in tandem with other measures, which include a robust patching strategy as well as anti-spam settings, that help prevent a ransomware infection in the first place.