RIG Exploit Kit is Now Pushing the Buran Ransomware


RIG Exploit Kit is Now Pushing the Buran Ransomware (Jun 6, 2019)

The RIG exploit kit is currently distributing a new variant of VegaLocker ransomware, called Buran. The malicious campaign is attempting to exploit vulnerabilities via Internet Explorer. If successful, a series of commands would download the ransomware and then execute it. Exploit Kit researcher nao_sec spotted a malvertising campaign redirecting users to the RIG exploit kit, which then drops the Buran ransomware as a payload. Being a new variant of VegaLocker ransomware, Buran ransomware uses a similar encryption process. While there is no known way to decrypt this ransomware for free as of yet, it is currently being researched.

Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.