Home > List all groups > List all tools > List all groups using tool Buran

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Buran

Description(ESET) The component that first attracted our attention is the previously unseen Win32/Filecoder.Buran. It is a Delphi binary that sometimes comes packed. It was mainly distributed during February and March of 2019. It implements the expected behavior of ransomware, discovering local drives and network shares and encrypting files found on these devices. It doesn’t require an internet connection to encrypt its victims’ files, since it doesn’t communicate with a server to send the encryption keys. Instead, it appends a “token” at the end of the ransom message and demands that the victims communicate with the operators via email or Bitmessage.

To encrypt as many important resources as possible, Filecoder.Buran starts a thread dedicated to killing key software that might have open handles on files containing valuable data, thus preventing them being encrypted. The targeted processes are mainly database management systems (DBMS). Furthermore, Filecoder.Buran removes log files and backups, to make it as difficult as possible for victims without any offline backups to recover their files.

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

Previous: Buhtrap
Next: Byeby

All groups using tool Buran


APT groups

XTA2101, Maze Team[Unknown]2019-Oct 2020 HOT 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key