Bucbi Ransomware Using Brute-Force Attack to Spread onto Corporate Networks

bucbi ransomwareThe cases of Ransomware attack has been on rise and cyber crooks are finding it an easy option for generating millions of bucks. Bucbi Ransomware is recent addition in the list of malware that is known to target Windows PC and hold files hostage in and around Ukraine and Russia. It is particularly targeting Corporate Networks and similar high value targets for minting hefty amount as ransom by hacking vital data. Actually, Cyber crooks have used latest innovation by launching Brute Force attack via Remote Desktop Protocol Servers to penetrate Corporate Network. Bucbi Ransomware was known to exist long time back around 2014 and now has has been significantly updated by Cyber crooks for attacking Corporate Network using Remote Desktop Protocol or RDP. This has been confirmed by researchers and security Team of Palo Alto Network. The most alarming aspect about Bucbi Ransomware is that it hardly requires any Internet connection to target computers as it uses RDP on Windows Servers.


Cyber Crooks were reportedly trying to breach and carry out attacks using some common username by attempting logins using Point of Sale devices (PoS) specifically. Actually hackers targeted the attack using 5 different IP address. This was done since the financial transaction often fails to process once the device is known to have been compromised. However, hackers were known to have been successful reportedly as they made use of executable file which was known as “RDP Brute (Coded by z668)” for seeking unauthorized access and holding files hostage on the compromised system as a whole. The Command Line was used as /install and /uninstall. Whenever the first command that is /install was used, the ransomware created the ‘FileService’ and was soon removed when the second Command Line argument was given. In case when there was no Command Line given, then also “FileService” was initiated. This was quite unique strategy used by hackers.

learn more: https://cybernewsgroup.co.uk/bucbi-ransomware-spreading-via-rdp-brute-force-attacks/

The Bucbi Ransomware is creating havoc as it has been updated and came back from the dead and is ready to target Corporate network by getting installed using RDP Brute (Coded by z668) Tool. ) thus it is ready to take the cyber crime to its next level by taking files hostage for ransom. The very existence of ransomware was proving hard nut to crack for victims but Bucbi Ransomware has given all opportunity for hackers to tap and exploit all loopholes and vulnerabilities of the Windows. It is known to target all files that are stored on the local drives of the Windows Computer. However files present in following directory locations are exempted from this nasty ransom virus as C:\WINDOWS, C:\Windows, C:\Program Files, C:\Program Files (x86). Unlike other ransomware, Bucbi does not uses any specific file extension for encryption. However the files get overwritten and continue to exist with the same file name as before. Thus users need to be highly careful if they want to stay safe and get rid of Bucbi ransomware using RDP on Windows Servers.