BURAN Ransomware

What is BURAN Ransomware?

You do NOT want to let in BURAN Ransomware because this devious file-encryptor can destroy all of your personal files. In fact, it is set to destroy every single file that is not a .buran, .cmd, .com, .cpl, .dll, .exe, .log, .msp, .msc, .pif, .scr, or .sys file. Although the infection does not remove or steal files, it encrypts them, which means that the data is scrambled and so the files become unreadable. In theory, a decryptor should exist along with the encryptor, but even if the developer of the infection has it, who can say whether or not they would hand it to the victims. That being said, that is exactly what the attackers are promising, and they are demanding money in return. One version of the infection demanded a ransom of $100 to be paid in Bitcoin, but there are many different versions, and so the sum of the ransom could change as well. What does not change is the fact that this infection must be erased. Do you know how to delete BURAN Ransomware? Continue reading to find out.

How does BURAN Ransomware work?

BURAN Ransomware slips into vulnerable systems via Internet Explorer and Flash exploits. The attackers employ the RIG Exploit Kit to find and exploit vulnerabilities, and that helps them to drop and execute malware via compromised websites. The infection could slither in without your notice at all, and so you need to make sure that your operating system, software, and services you use are up-to-date at all times. If you do not take care of that, BURAN Ransomware might start encrypting your files soon. After that, a unique extension is added to the files’ names, and if you discover that, you should have no doubts left about the invasion of dangerous malware. Although, in most cases, it is the “.buran” extension that is added, .3674AD9F-5958-4F2A-5CB7-F0F56A8885EA, .62E93854-821C-3F0E-7556-D0F4F2E6E1C2, and .9F9CF853-ED0D-F661-54F1-3761A306C6D1 extensions have been used as well. This depends on the version of the infection that you need to remove from your operating system.

Regardless of the version of BURAN Ransomware, you should find a file named “!!! YOUR FILES ARE ENCRYPTED !!!.TXT.” This file carries a text message that informs about the encryption, introduces a decryption key that, allegedly, is required for decryption, and then pushes to email the attackers. One version asked to email keepcalmburan@tutanota.com or keepcalmburan@tuta.io, the second found version asked to email dcr@cumallover.me, and the last version asked to email polssh1@protonmail.com or polssh@protonmail.com. We do not recommend sending a message to any of these. Why? You would be exposing yourself to the attackers by doing that, and they could push you to pay a ransom and they could send you malicious files and links. Your email address could also be shared with other parties, and it could be bombarded with phishing emails in the future. Also, you need to think about what you would gain from it all. If you think that cyber criminals will give you the decryptor the moment you transfer the ransom, you might be mistaken. We cannot know for sure, but the chances of a fair exchange are slim.

How to delete BURAN Ransomware

BURAN Ransomware evolved from VegaLocker Ransomware and Jamper Ransomware infections. That means that it was never a weak infection. Unfortunately, it has a perfect distributor, and it can do great damage once inside the system. Once the personal files found on the affected system are encrypted, restoring them is not possible. At least, not at the time of our analysis. Since files cannot be recovered, the attackers might have better chances at convincing the victims to pay a ransom for an alleged decryptor. We cannot guarantee that it works or that you would get it by paying the requested ransom. Overall, you have to decide if paying the ransom is the right thing for you, but our research team does not recommend it. What you should do is remove BURAN Ransomware, and there is no easy path here either; especially if you decide to delete the threat manually. A few components used by this threat could have random names, and so locating them could be difficult. The easiest thing, in this situation, is to install an anti-malware program that could delete the threat automatically.

Removal Instructions

1. Simultaneously tap Win+E to access Windows Explorer.
2. Type %APPDATA%\Microsoft\Windows\ onto the box at the top and tap Enter.
3. Right-click and Delete two executable files named ctfmon.exe and lsass.exe.
4. Enter the following directories into the box and Delete malware-related files(names unknown):
   • %USERPROFILE%\Downloads
   • %TEMP%
5. Right-click and Delete the ransom note file !!! YOUR FILES ARE ENCRYPTED !!!.TXT (likely on Desktop).
6. Empty Recycle Bin and then quickly install a legitimate malware scanner.
7. Run a full system scan to check if your system is clean or if there are still threats that must be removed. Download Removal Tool100% FREE spyware scan and
   tested removal of BURAN Ransomware*