Buran Ransomware - How to remove

Buran is a file-locking virus that works on Windows systems. This ransomware renames the encrypted files by adding a long string (36 symbols long) of letters from A to F and numbers to the ends of their names. For example, “list.doc” might become “list.doc.A451E487-423B-C45B-45EA-1256A54DE247”, or similar. Buran leaves behind a ransom note (it starts with “All your files, documents, photos, databases and other important files are encrypted.”).

Identifying Buran

Like with all file-locking ransomware, these files refuse to open even if the additional string is removed from their names (by the way, don’t do that if you don’t want to corrupt the files – make copies first). But it can be tricky to identify if it’s Buran given that it doesn’t use the same extension for all victims. Instead, it renames the files with the victim’s unique ID (although it can leave the extension unchanged, too).

You can check if Buran is the infection by opening any encrypted file (any type will do) in notepad or another text editor and looking at the beginning of the file. At the start it should say “BURAN” (although different versions might use a different identification, like “STORM”).

Another option is to go to the id-ransomware website and upload your ransom note. The website should tell you what kind of ransomware attacked you. You’re unlikely to be infected with Buran if you’re in a CIS country because Buran’s authors have said that they don’t work there.

In short about Buran ransomware:

Identify Buran	The encrypted files have a long string as their extension The encrypted files start with “BURAN” or similar text The ransom note starts with “!!! ALL YOUR FILES ARE ENCRYPTED !!!”
How Buran is distributed	Phishing emails Free files and programs online Malicious ads
Removing Buran	Use anti-malware scanners (SpyHunter) Restore OS settings Change passwords and keep an eye on your crypto wallet
Recovering the files	Restore from a backup Use data recovery Try to recover data from large files Wait for a free solution

Here is an example of a Buran ransom note, probably named “!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt”:

!!! YOUR FILES ARE ENCRYPTED !!!

All your files, documents, photos, databases and other important files are encrypted.

You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.

To be sure we have the decryptor and it works you can send an email [email protected]  and decrypt one file for free. But this file should be of not valuable!

Do you really want to restore your files?

Write to email [email protected]
[email protected]

Your personal ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How to restore the files

So far, no free decryption solution is available. Buran deletes restore points and shadow volume copies, and the encryption is secure enough. Cybersecurity researchers work a lot to analyze Buran and other ransomware, but rarely is it possible to develop a decrypter. If one becomes available, you can probably find it on nomoreransom.org. This article will also be updated.

What about paying? Rumors about Buran’s ransom amounts say they’re pretty high, sometimes several thousands of dollars. And dealing with criminals is always risky because they often take the money and fail to deliver the decryption tools. Also, people have said that Buran’s decrypter fails to recover files larger than 2GB, so there’s that to watch out for.

Normally, everyone should have backups of their files that they could recover their files from. But that doesn’t always work out. Luckily, there are some options besides decryption. For example, data recovery software might help restore some data.

Also, some people were able to recover data from encrypted archive files. If any of your archive files were encrypted, make copies and then rename the files, then try to extract them. You might get some of your files back. This applies not just to Buran, but other ransomware, too, like Phobos or Djvu.

The reason this works is that most ransomware viruses do not encrypt whole files, but only portions. The beginnings of most files contain important metadata without which the file can’t be read, so that’s always targeted. Chunks of data in large files remain unencrypted – it’s just that it’s not always possible to get something useful out of that. If Buran tried to encrypt whole files, that would make it extremely slow.

Buran infection

Buran distribution strategies

Buran was recently reported as being ransomware as a service (RaaS). This means that its developers give Buran to multiple distribution teams and they share the profits (the ransom money extorted form the victims). Because Buran is RaaS, more than one method for its distribution exists.

Exploit kits

Buran can be found on sites that promote get-rich-quick schemes, investment scams, fake video game cheats, and similar junk. The news about Buran using the Rig exploit kit to infect computers means that clicking on a single infected ad could allow Buran to infect your machine. Exploit kits are tools on malicious websites that scan each arrival’s data, like the version of their operating system, browser, etc. They look for vulnerable devices – ones with outdated software that has known security flaws that the exploit kit can take advantage of. If your computer is vulnerable, Buran is downloaded and executed automatically.

Torrent sites

It’s also possible to download Buran on your own. this ransomware gets uploaded on various torrent sites and made to look like cracking programs, activators, “free” versions of commercial software, and other attractive files. Sure, Buran will be noticed and taken down when enough people complain about it, but then it’ll just be reuploaded under a different name.

It’s not just piracy, though. Buran can also be uploaded disguised as programs (sometimes completely made-up software) on unique websites and offered for free.

Malicious spam emails

Then there are malicious spam emails. Buran (and other ransomware) is sent out in thousands of generic emails to random addresses. These emails might mention an order being cancelled, a fax being received, or important documents from work. The malicious email carries a file that is programmed to download Buran. This can be a Word document, a PDF, in theory – almost any file. Alternatively, the emails have a link to download the document that downloads Buran. German organizations have been targeted by a malvertising campaign spreading Buran.

Avoiding Buran and recovering from it

It’s really important and helpful to scan every file you download before running it. If Buran is allowed to run, antivirus programs might not be able to protect you. They can recognize Buran ransomware, but they can’t always stop it from doing harm. On the other hand, an up-to-date antivirus program should be able to warn you if a file is suspicious. Some security programs have real-time protection against ransomware.

Every time you log on, Buran should start again. After this infection, anti-malware scanners like SpyHunter can find and remove the virus, but the system will still need to be repaired. Buran ransomware makes changes to settings, the registry (it stores the public encrypting key in there, so you might want to make a backup of the registry in case of decryption). It might also try to steal private data, for example, Buran might try to hijack cryptocurrency payments and Steam trading if they’re being made on the infected computer. Don’t use your computer for anything money-related until Buran is deleted and security settings in your Windows are restored.

Automatic Malware removal tools

How to recover Buran Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Buran Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Buran Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Buran Ransomware. You can check other tools here.  

Step 3. Restore Buran Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Buran Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Buran Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.