Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Malware-Misc-RE/2019-06-06-buran-ransomware-notes.vk.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
62 lines (50 sloc)
2.26 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Rig Exploit Kit -> Buran Ransomware | |
| // MD5: e60e767e33acf49c02568a79d9cbdadd | |
| // h/t @nao_sec | |
| Whitelisted files: | |
| boot.ini;bootfont.bin;bootsect.bak;desktop.ini;defender.exe;iconcache.db;master.exe;master.dat;ntdetect.com;ntldr;ntuser.dat;ntuser.dat.log;ntuser.ini;temp.txt;thumbs.db;unlock.exe;unlocker.exe; | |
| Note: | |
| !!! YOUR FILES ARE ENCRYPTED !!!.TXT; | |
| Whitelisted Folders: | |
| :\$RECYCLE.BIN\;:\$Windows.~bt\;:\RECYCLER;:\System Volume Information\;:\Windows.old\;:\Windows\;:\intel\;:\nvidia\;:\inetpub\logs\;\All Users\;\AppData\;\Apple Computer\Safari\;\Application Data\;\Boot\;\Google\;\Google\Chrome\;\Mozilla Firefox\;\Mozilla\;\Opera Software\;\Opera\;\Tor Browser\;\Common Files\;\Internet Explorer\;\Windows Defender\;\Windows Mail\;\Windows Media Player\;\Windows Multimedia Platform\;\Windows NT\;\Windows Photo Viewer\;\Windows Portable Devices\;\WindowsPowerShell\;\Windows Photo Viewer\;\Windows Security\;\Embedded Lockdown Manager\;\Windows Journal\;\MSBuild\;\Reference Assemblies\;\Windows Sidebar\;\Windows Defender Advanced Threat Protection\;\Microsoft\;\Package Cache\;\Microsoft Help\; | |
| Buran Note: | |
| !!! YOUR FILES ARE ENCRYPTED !!! | |
| All your files, documents, photos, databases and other important | |
| files are encrypted. | |
| You are not able to decrypt it by yourself! The only method | |
| of recovering files is to purchase an unique private key. | |
| Only we can give you this key and only we can recover your files. | |
| To be sure we have the decryptor and it works you can send an | |
| email polssh1@protonmail.com and decrypt one file for free. But this | |
| file should be of not valuable! | |
| Do you really want to restore your files? | |
| Write to email polssh1@protonmail.com | |
| polssh@protonmail.com | |
| Your personal ID: ________________________ | |
| Attention! | |
| * Do not rename encrypted files. | |
| * Do not try to decrypt your data using third party software, | |
| it may cause permanent data loss. | |
| * Decryption of your files with the help of third parties may | |
| cause increased price (they add their fee to our) or you can | |
| become a victim of a scam. | |
| Whitelisted extensios: | |
| .bat | |
| .cmd | |
| .com | |
| .cpl | |
| .dll | |
| .msc | |
| .msp | |
| .pif | |
| .scr | |
| .sys | |
| .log | |
| .exe | |
| .buran | |
| Regisry Storage: | |
| HKCU\Software\Buran | |
| -> Knock (iplogger) | |
| \Service | |
| -> Public | |
| -> Private |