Bucbi Ransomware Spreading Via RDP Brute Force Attacks

The Bucbi ransomware, a threat detected back in early 2014, has received a significant update and now uses RDP brute force attacks as its delivery mechanism, researchers at Palo Alto Networks say.

The malware, usually delivered via an HTTP download (an exploit kit or phishing email), was recently spotted delivered via brute-forced RDP (Remote Desktop Protocol) accounts on Internet-facing Windows servers.  Furthermore, researchers say that the ransomware has been modified and that it no longer requires an Internet connection.

Starting in late March, researchers noticed that attacks were carried out from five IP addresses and that the malware authors were using a variety of common usernames in attempted logins, including point of sale (PoS) specific usernames. Thus, Palo Alto Networks suggests that attackers are seeking out PoS devices but, changed tactics after learning that once the compromised devices did not process financial transactions.

After successfully compromising a specific machine, the attackers dropped an executable file that pointed researchers to the RDP brute force utility named ‘RDP Brute (Coded by z668)’, which might have been that tool used to gain access to the victim machine

In early April, researchers stumbled upon a sample configured to take two command-line (CLI) arguments, /install and /uninstall. When the first is provided, the malware creates the ‘FileService’ service, and removes it when the second argument is provided. Should no argument be provided, the malware automatically tries to start ‘FileService’, as it assumes the service exists.

With the service up and running, the malware generates a number of debugging statements saved in a randomly named log file in the %ALLUSERSPROFILE% directory. The ransomware uses the GOST block cipher to generate a unique filename, a technique specific to Bucbi, and involves the creation of two key files.

The ransomware encrypts all files on the local drives, except those located in the following directories:    C:WINDOWS, C:Windows, C:Program Files, C:Program Files (x86). The malware also spawns a process for encrypting network resources and makes a call to WNetOpenEnum to enumerate all network disk resources available.

Unlike other popular ransomware families, Bucbi doesn’t append a specific file extension for files that are encrypted. This means that, after encryption, files are overwritten and left with the same filename that was originally present. The key files that were originally created are not removed.

Researchers also observed that the malware includes a decryption routine, which can be used with a simple binary modification to decrypt files, although the malware never calls for the routine. This routine could be used by victims to recover their files without paying the ransom, researchers say.

The newly spotted ransomware sample features similarities with the older versions, including the presence of the original filename of ‘FileCrypt’ in both of them, and the use of the GOST block cipher function. Moreover, all samples use the aforementioned key files, and coding style between samples is consistent as well.

Differences between the old version of Bucbi, which emerged in 2014, and the new sample include the service installation method, along with the command-line arguments of ‘/install’ and ‘/uninstall’. The network-resource encrypt function is new as well, as well as the lack of an HTTP command and control (C2) channel in the newer version.

Researchers also note that the ransom notes left on infected systems point to the “Ukrainian Right Sector,” a far-right Ukrainian nationalist political party with paramilitary operations, as being the owner of the malware. However, Russian identifiers in recent attacks make it unclear if the claims of responsibility by the “Ukrainian Right Sector” are accurate.

Just last week, researchers from Fox-IT shared details of an attack where cybercriminals activated ransomware from a compromised remote desktop server.

Related: Hackers Disrupt Locky Ransomware Campaign

Related: Malicious Insiders Could Tap Ransomware-as-a-Service for Profit