Bucbi Ransomware Boomerangs

Bucbi Ransomware

About Bucbi ransomware: Short Description

Bucbi ransomware is one of most atrocious PC threat which belongs to ransomware family. A virus tracked down back in early 2014, has acquired a cogent makeover and now it is using RDP(Remote Desktop Protocol) brute force invasions as its transmission gimmick, security experts at Palo Alto Networks states. The malware, basically spreaded through an HTTP download also known as phishing email, was in recent times seen spreaded via brute-forced RDP accounts on Internet with Windows servers. Additionally, cyber experts said that the ransomware has been revamped and become more advanced that it no longer needs an Internet connection.

Source:http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/

Method Of Infiltration

In late March, cyber experts found out that intrusions were carried out from 5 IP addresses and that the virus creators were using a mixture of general usernames in attempted logins, which included point of sale (PoS) precise usernames. And this is not the only trick used Bucbi ransomware programmers to invade into users system. This threat also slips into users system via deceit by hidden behind corrupt links, spam email attachments etc. The following 5 IP addresses which were identified attacking the victims system are :

1. 31.184.197.69
2. 31.44.191.251
3. 46.161.40.11
4. 191.101.31.126
5. 79.117.151.236

Bucbi RDP brute force utility

Bucbi RDP brute force utility

Here is a A shorted list of the usernames used in attempted logins are mentioned below:
Administrator, FuturePos, HelpAssistant, Aloha, SERVER, Sqladmin, Staff, Admin, BPOS, KahalaPOS, Oracle, POS, SALES.

More Info Here: https://threatpost.com/bucbi-ransomware-gets-a-big-makeover/117938/

Bucbi Ransomware Virus Infected System: User Experience

Carlos Memontona is normal PC user from Germany and he works in a multinational firm, his system got infected by Bucbi Ransomware Virus and he shares his awful experience with us-

Ich war das Surfen im Internet in der Regel plötzlich eine E-Mail kam, sobald ich es öffnete, war ich auf einige andere Websites umgeleitet . Und nach einer Weile mein Computer bekam gesperrt ist, und ich war nicht in der Lage, alle Dateien in den Speicherort zugreifen zu können. Bald erschien ein Erpresserbrief , der erklärt, dass alle meine Dateien verschlüsselt wurden, zahlen die erforderliche Menge Dateien zu entsperren. Ich war verärgert , aber schließlich nahm ich in ein paar einfachen Schritten Entfernt Bucbi Ransomware durch verlinkte Seite besuchen.

Vicious Effects:

After successfully entering into a particular system, the cyber criminals dropped an executable file which pointed security experts to the RDP brute force utility named RDP Brute (Coded by z668), that mat be the tool used to gain access to the victim computers. With the service up and running, the virus creates various kinds of debugging statements stored in a randomly named log file in the %ALLUSERSPROFILE% directory. This ransomware implements the GOST block cipher to create a unique filename, an old trick precise to Bucbi Ransomware and includes the formation of two key files.

Bucbi ransom note

Bucbi ransom note

The Bucbi Ransomware encrypts all files saved on hard drives, except those located in the following directories: C:\WINDOWS, C:\Windows, C:\Program Files, C:\Program Files (x86). The threat also produces a procedure for encrypting network resources and makes a call to WNetOpenEnum to calculate all network disk resources present. The new Bucbi Ransomware features some similarities with the older versions, which includes the presence of the original filename of ‘FileCrypt’ in the previous version as well, and the use of the GOST block cipher function. The Differences between the old version of Bucbi Ransomware and the new one includes the service installation technique, along with the command-line arguments of ‘/install’ and ‘/uninstall’.

If you have got infected with Petya ransomware Virus or any Vicious Viruses of Recent Times such as Locky Ransomware, KeRanger Ransomware, Samsum Virus, Cryptolocker there’s no need to panic and anguish at all, as removal to these dangerous viruses is possible. To remove any kind of computer virus follow the Remove Bucbi Ransomware link which is stated above.

Refference: http://www.securityweek.com/bucbi-ransomware-spreading-rdp-brute-force-attacks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>