Bucbi Ransomware Makes a Comeback After Two Years
May 9, 2016
Shah Sheikh (1294 articles)

Bucbi Ransomware Makes a Comeback After Two Years

A cyber-crime group is at the heart of many non-standard ransomware infections, which appear to be carried out via a re-tooled version of the Bucbi ransomware that hasn’t been seen in usage at such a massive scale since 2014, the year it was discovered.

Security researchers from Palo Alto Networks say these ransomware infections are different because they do not rely on social engineering tactics to trick victims into installing the ransomware, but that the group’s members are doing it themselves, after hacking into vulnerable enterprise networks.

These attacks have a direct connection to a series of incidents on which Fox-IT researchers reported last week when they said they’ve seen cyber-crime groups use brute-force attacks against corporate networks running Internet-available RDP (Remote Desktop Protocol) servers. Palo Alto is now reporting on who’s behind these attacks, why and how they’re doing it.

The group claims to be Ukrainian, clues point to Russian origin

According to the Palo Alto team, the exact origin of the hackers is unclear. The company says that the group identified as the “Ukrainian Right Sector,” but evidence in the ransomware code points at a Russian point of origin, especially because of the usage of the GOST algorithm, developed by the former USSR government and only made public in 1994.

Despite the code clues, the Ukrainian Right Sector is a real-world organization, an extremist Ukrainian nationalist political party with paramilitary operations that opposes Russia.

As for the Bucbi ransomware, security experts claim that this version has been heavily modified. The main three differences are that the ransomware now works without needing to connect to an online C&C server, uses a different installation routine, and also employs a different ransom note.

Similarities between the 2014 and the 2016 versions include the presence of many similar debug strings, similar file names, and both use the GOST block cipher function.

The attacks are opportunistic, not well-planned

Palo Alto researchers said that Bucbi’s installation is what has drawn their attention to this specific threat. Bucbi is unique because it relies on crooks brute-forcing their way into corporate networks via open RDP ports.

The company suspects the crooks to have used a tool called “RDP Brute (Coded by z668),” pictured below. But this was not the most interesting detail.

“Many common usernames were used in attempted logins in this brute force attack, including a number of point of sale (PoS) specific usernames,” Palo Alto researchers observed. “It is likely that this attack originally began with the attackers seeking out PoS devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions.”

Some of the usernames specific to PoS systems include strings such as BPOS, FuturePoS, KahalaPoS, POS, SALES, Staff, and HelpAssistant.

Nevertheless, this proves that cyber-crime groups often adjust their strategies to take advantage of weaknesses they find at a particular point in time, adapting to the type of vulnerable systems they find.