HP Threat Research Blog Buran Ransomware Targets German Organisations through Malicious Spam Campaign

October 21, 2019 Category: Threat Research By: Alex Holland Comments: 0

Buran Ransomware Targets German Organisations through Malicious Spam Campaign

Update 11/11/2019 – Following an update to the referenced ESET article [1] on 6 November, we have amended the detection name to Win32/Filecoder.Buran.


As of October 2019, commodity ransomware campaigns conducted by financially motivated threat actors pose a significant threat to organisations. The three distinguishing characteristics of such campaigns are: first, they are usually high volume, sent to many employees in an organisation; second, they are indiscriminate, relying on opportunistic infections to make money from ransom payments; and third, the distributed malware is designed to suit a wide range of environments and infection vectors, rather than being tailored to a specific network. Any targeting tends to focus on regions that share a common language and the popular online services used there, instead of identifying a small number of lucrative targets. In this post, we examine a malicious spam (malspam) campaign targeting German organisations in early October 2019 that delivered Buran.


Buran is a family of commodity ransomware, compiled with Borland Delphi. It was analysed by ESET researchers in April 2019, who call it Win32/Filecoder.Buran.[1] In May 2019, Buran was discovered being sold in Russian-speaking underground forums.[2] Buran’s developers market the malware to potential operators as a ransomware-as-a-service (RaaS) scheme, taking a 25% cut of any ransom payments in exchange for a “decoder” used to decrypt victims’ files (figure 1). The affiliate scheme has been advertised on seve