2019-06-08-ghost-aka-rebranded-buran-config.notes.vk.txt

// Ghost(Rebranded Buran) Ransomware
// SHA-256: be9dd97e5b63ca55c3acdeef15e8da65424d7c074effb386a1e443a85fec9d94
// h/t @malwrhunterteam
// Signed -> [Soblosol Limited] Comodo

Oddity:

"BEWARE... THIS IS GHOST!!! MADE IN USSR"

Victim Note:

Your important files have been encrypted. We can help you decrypt them.
If you are interested in purchasing our decryptor, please contact us by email:
e95c12d08b14@protonmail.com
e95c12d08b14@airmail.cc

Whitelisted Folders:

:\$RECYCLE.BIN\;:\$Windows.~bt\;:\RECYCLER;:\System Volume Information\;:\Windows.old\;:\Windows\;:\intel\;:\nvidia\;:\inetpub\logs\;\All Users\;\AppData\;\Apple Computer\Safari\;\Application Data\;\Boot\;\Google\;\Google\Chrome\;\Mozilla Firefox\;\Mozilla\;\Opera Software\;\Opera\;\Tor Browser\;\Common Files\;\Internet Explorer\;\Windows Defender\;\Windows Mail\;\Windows Media Player\;\Windows Multimedia Platform\;\Windows NT\;\Windows Photo Viewer\;\Windows Portable Devices\;\WindowsPowerShell\;\Windows Photo Viewer\;\Windows Security\;\Embedded Lockdown Manager\;\Windows Journal\;\MSBuild\;\Reference Assemblies\;\Windows Sidebar\;\Windows Defender Advanced Threat Protection\;\Microsoft\;\Package Cache\;\Microsoft Help\;

Note:

===HOW TO RECOVER ENCRYPTED FILES===.TXT

Whitelisted Files:

boot.ini;bootfont.bin;bootsect.bak;desktop.ini;defender.exe;iconcache.db;master.exe;master.dat;ntdetect.com;ntldr;ntuser.dat;ntuser.dat.log;ntuser.ini;temp.txt;thumbs.db;unlock.exe;unlocker.exe;

Whitelisted Extensions:

.bat
.cmd
.com
.cpl
.dll
.msc
.msp
.pif
.scr
.sys
.log
.exe
.ghost

Regisry Storage:

HKCU\Software\Ghost
                    -> Knock (iplogger)
              \Service
                    -> Public
                    -> Private
	// Ghost(Rebranded Buran) Ransomware
	// SHA-256: be9dd97e5b63ca55c3acdeef15e8da65424d7c074effb386a1e443a85fec9d94
	// h/t @malwrhunterteam
	// Signed -> [Soblosol Limited] Comodo

	Oddity:

	"BEWARE... THIS IS GHOST!!! MADE IN USSR"

	Victim Note:

	Your important files have been encrypted. We can help you decrypt them.
	If you are interested in purchasing our decryptor, please contact us by email:
	e95c12d08b14@protonmail.com
	e95c12d08b14@airmail.cc

	Whitelisted Folders:

	:\$RECYCLE.BIN\;:\$Windows.~bt\;:\RECYCLER;:\System Volume Information\;:\Windows.old\;:\Windows\;:\intel\;:\nvidia\;:\inetpub\logs\;\All Users\;\AppData\;\Apple Computer\Safari\;\Application Data\;\Boot\;\Google\;\Google\Chrome\;\Mozilla Firefox\;\Mozilla\;\Opera Software\;\Opera\;\Tor Browser\;\Common Files\;\Internet Explorer\;\Windows Defender\;\Windows Mail\;\Windows Media Player\;\Windows Multimedia Platform\;\Windows NT\;\Windows Photo Viewer\;\Windows Portable Devices\;\WindowsPowerShell\;\Windows Photo Viewer\;\Windows Security\;\Embedded Lockdown Manager\;\Windows Journal\;\MSBuild\;\Reference Assemblies\;\Windows Sidebar\;\Windows Defender Advanced Threat Protection\;\Microsoft\;\Package Cache\;\Microsoft Help\;

	Note:

	===HOW TO RECOVER ENCRYPTED FILES===.TXT

	Whitelisted Files:

	boot.ini;bootfont.bin;bootsect.bak;desktop.ini;defender.exe;iconcache.db;master.exe;master.dat;ntdetect.com;ntldr;ntuser.dat;ntuser.dat.log;ntuser.ini;temp.txt;thumbs.db;unlock.exe;unlocker.exe;

	Whitelisted Extensions:

	.bat
	.cmd
	.com
	.cpl
	.dll
	.msc
	.msp
	.pif
	.scr
	.sys
	.log
	.exe
	.ghost

	Regisry Storage:

	HKCU\Software\Ghost
	-> Knock (iplogger)
	\Service
	-> Public
	-> Private