Bucbi Ransomware Resurfaces Using Brute-Force Methods to Spread onto Corporate Networks

What was first defined as a normalized ransomware threat that encrypts files on an infected computer and then asks for a ransom fee to decrypt the files, has been updated to utilize brute-force methods so it may spread vastly through corporate networks. The Bucbi Ransomware threat has been brought back from the dead with several updates that bring forth opportunistic attacks on systems and those located in enterprise environments.

The proliferation of ransomware has reached a new pinnacle where new threats have been armed with advanced capabilities. In the case of Bucbi Ransomware, it has received updates to attack various networks, specifically corporate entities through open RDP (Remote Desktop Protocol) ports. The recent incidents where Bucbi Ransomware was utilized to attack networks through RDP ports was a series of incidents that security firm Fox-IT reported last week, which ultimately was a ploy to spread ransomware to high-value targets.

Cybercrooks are known for targeting high-value entities as they are usually the most lucrative in a scheme that results in high-dollar restitutions for their hacking activities. The hackers responsible for updating and spreading Bucbi Ransomware have been speculated to either be from Ukraine or Russian. So far, what has pointed researchers from the Palo Alto security research team is the ransomware code tracing back to a Russian point of origin. However, the Palo Alto Networks team has identified the group to be the "Ukrainian Right Sector," which is an extremist Ukrainian nationalist political party with paramilitary operations that are against Russia.

The key capabilities added to Bucbi Ransomware include its ability to work without requiring connection to an online command and control server, use of a unique ransom notification, and an installation method that relies on hackers brute-forcing their way into corporate networks, usually through an open RDP. Researchers believe that Bucbi Ransomware can be streamlined for install through a tool called "RDP Brute (Coded by z668)."

Combining the ability to infiltrate enterprise systems through a vulnerable corporate network has been a common task well before the introduction of ransomware threats. Though, combining the severity of ransomware and their aggressive approach to collecting money from victimized computer users with brute-force attacks, the Bucbi Ransomware is a significant step for cybercrooks. Alone, ransomware threats were already among some of the most dangerous malware around, Bucbi Ransomware is proof of the concept of cybercrime groups going to the next level to adjust their strategies to take advantage of discovered weaknesses.

Time will be the tell-all if threats like Bucbi Ransomware prevail. If they do, Bucbi Ransomware and similar threats will be yet another attack angle that cybercrooks can use to infiltrate companies successfully and demand high ransom payments to add to the opportunistic approach of money-hungry hackers.