Bucbi Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 5 |
First Seen: | May 9, 2016 |
Last Seen: | May 30, 2021 |
OS(es) Affected: | Windows |
A non-standard ransomware infection referred to as the Bucbi Ransomware has been tormenting computer users, especially the ones living in Russia and Ukraine. The Bucbi Ransomware asks for a ransom amount that is considerably larger than most encryption ransomware threats, claiming that the money will be used to contribute to the conflict between Russia and Ukraine. Here is an example of a ransom note that has been associated with the Bucbi Ransomware:
We are members of Ukrainian Right Sector.
You are taking money worldwide until we are fighting with world’s evil into the East of our Motherland.
To decrypt the files you need to obtain a private key.
You have to transfer 5 BTC into the out account [...] for us.
Also you have to send message for us to e-mail: dopomoga.rs@gmail.com.
After it you’ll get the crypto key for decrypt your files.
Regards.
Your defenders.
The Bucbi Ransomware is returning after a two-year absence. Apparently, the Bucbi Ransomware is a retool of an encryption ransomware threat that hadn't been used at this scale since 2014, when it was first observed. The Bucbi Ransomware is different from its previous iteration because it does not use social engineering to trick computer users to install the Bucbi Ransomware on the victim's computer. Rather, the con artists themselves are installing the Bucbi Ransomware on the victims' computers, after hacking into an enterprise network.
The Dubious Origin of the Bucbi Ransomware
The Bucbi Ransomware attacks are connected with a recent series of attacks on businesses in which hacker groups used a brute force approach to hack into corporate networks with RDP (Remote Desktop Protocol) servers that were available on the Internet. Apparently, the group behind the Bucbi Ransomware claims to be from Ukraine (as the ransom note mentioned above attests). However, despite being identified as the 'Ukrainian Right Sector,' it is like that the point of origin of the Bucbi Ransomware is Russian. One of the main characteristics that point to a Russian origin is the use of the GOST algorithm, which was developed in the Soviet Union and made public in 1994. However, the Ukrainian Right Sector is an actual real word extremist political party that opposes Russia.
Understanding the Bucbi Ransomware Infection
The current version of the Bucbi Ransomware is a heavily modified version of the previously seen iteration of this threat. The Bucbi Ransomware does not need to connect to a Command and Control server, is installed by the hackers themselves rather than through social engineering, and uses an unusual ransom note. The Bucbi Ransomware is similar in that it uses the GOST block cipher function, the same debug strings and file names that are also almost identical to previously suspected versions of the Bucbi Ransomware. One of the reasons why the Bucbi Ransomware has attracted attention is that its attacks do not seem to be heavily premeditated, rather taking advantage of perceived weaknesses that are unexpectedly exposed. The Bucbi Ransomware needs hackers to use brute force to enter corporate networks through open RDP ports to carry out these attacks. A tool being used to carry out the attacks that lead to the installation of the Bucbi Ransomware is called 'RDP Brute (Coded by z668).' There seem to be some connections between these attacks and Point of Sale (PoS) attacks. This is because many of the logins used in the brute force attack included user names that are specific to PoS devices.
The Bucbi Ransomware attack is similar to most other ransomware threats once it enters a computer. Like other ransomware infections, the Bucbi Ransomware encrypts the victim's files and then demands the payment of a ransom. In this case, the extraordinarily high price of 5 BitCoin is demanded, supposedly to help with this group's activities in Eastern Ukraine.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.