Two-year-old Bucbi ransomware is making a comeback, with new targeted attacks and a new brute force technique.
Researchers at Palo Alto Networks said they spotted the ransomware recently infecting a Windows Server demanding a 5 bitcoins (or $2,320) ransom. Researchers report the ransomware is no longer randomly seeking victims, as it did two years ago, but instead is targeting attacks.
“In the past this ransomware has found victims indiscriminately via large campaigns employing email attachments and malicious websites,” said Ryan Olson, researcher at Palo Alto in an interview with Threatpost. “Attackers have shifted to using brute-force password attacks.”
He said the criminals behind the Bucbi ransomware are are targeting corporate networks running Internet-available RDP (Remote Desktop Protocol) servers. To gain a foothold on the servers, Bucbi attackers are using the Remote Desktop Protocol brute force utility named “RDP Brute”. This password attack utility is hoping to exploit Windows servers with weak passwords, he said.
In a report describing the Bucbi attack, Palo Alto believes that crooks are likely seeking point of sales systems, based on the passwords used in attempt to crack the RDP servers. “It is likely that this attack originally began with the (criminals) seeking out PoS devices, and after a successful compromise, changed their tactics once they discovered that the compromised device did not process financial transactions,” Palo Alto wrote. Sample POS-related user names include FuturePos, KahalaPOS and BPOS.
An additional change in Bucbi’s behavior is the use of an HTTP command and control (C2) channel has been removed from this variant. Instead, attackers take full remote desktop control over the targeted system.
“Bucbi is unique because it’s more than malware and more than an automated ransomware attack,” Olson said. “It has evolved over the past two years, going from malware to a tool that can be used to seek sensitive data, sniff out a network and encrypt files,” he said.
Another unique, yet unconfirmed, aspect of the ransomware is the fact the criminals behind Bucbi claim to be politically motivated. “We haven’t ever see those types of ransomware claims,” Olson said.
Palo Alto reports that many clues used as part of the Bucbi attack, such as the email address used in the ransomware note, suggest the Ukrainian Right Sector, which has been described as an ultranationalist Ukrainian nationalist political party, is behind the ransomware.
He said Bucbi is representative of a booming ransomware business model where crooks are opting to encrypt data versus trying to resell data stolen from systems.
“If I’m a bad guy and want to compromise a hospital I can steal lots of personal information and medical data, but turning that information that I have stolen into money and revenue is really hard to do,” Olson said. “Using ransomware means any system they can compromise has potential value.”