BURAN Ransomware Removal Guide

BURAN Ransomware is a malicious application that might enter a system while exploiting unpatched Internet Explorer and Adobe Flash Player versions. Like most ransomware applications it encrypts files that might be precious to victims and shows ransom notes saying recovery will cost around 100 US dollars. If you have no other way to restore your files, the sum may not look significant compared to encrypted data. Still, we advise not to pay it if you do not want to risk getting scammed. Hackers may say anything to convince their victims to pay, but in the end, there is not knowing whether they will keep up with their promises. If you still cannot decide what to do, we recommend reading the rest of our report. In case you decide you do not want to put up with any demands, you should check our removal instructions located below this article that explain how to erase BURAN Ransomware manually.

As mentioned in the previous paragraph, BURAN Ransomware might sneak in by exploiting particular vulnerabilities. Our researchers say the Internet Explorer and Adobe Flash Player weaknesses that this malicious application exploits have been patched. Thus, the best way to prevent this particular threat from entering a system is to keep Internet Explorer and Adobe Flash Player up to date. If it is too difficult for you to do this manually, you should allow tools you have on your computer to update themselves automatically. This way, you will not miss any critical patches that could protect your system from such vicious threats like BURAN Ransomware. We should mention that a lot of similar malicious applications are distributed through Spam emails too, which is why you should never open suspicious data received via email unless you are one hundred percent sure it cannot contain anything malicious. Otherwise, we recommend scanning files with a reliable antimalware tool first.

It looks like the malicious application may need some time to settle in as our researchers say it ought to create a couple of files in the %APPDATA%\microsoft\windows directories. The malware’s files should have random names and .exe extensions, for example, lsass.exe. Then, BURAN Ransomware ought to start encrypting a victim’s files. To our knowledge the malware might encrypt all files except data with the following extensions: .buran, .cmd, .com, .cpl, .dll, .exe, .log, .msp, .msc, .pif, .scr, .sys. Based on the extensions, it seems the malicious application is avoiding data that belongs to the operating system or other software. Probably, BURAN Ransomware’s developers want their victims’ computers to remain working as usual and bootable so they could display ransom notes. Such documents ought to be called !!! YOUR FILES ARE ENCRYPTED !!!.TXT. Inside, they might contain a long text saying all users files were encrypted and that the only way to get them back, is to contact its developers and pay a ransom.

Moreover, the malware’s ransom notes may even offer to decrypt a file of no value free of charge to prove the threat’s creators have the needed tools. Also, the note should explain how to get Bitcoins and how to pay a ransom. The note we received while testing BURAN Ransomware asked for 100 US dollars. Plus, it said the sum ought to be paid in 72 hours as well as that we should contact the threat's developers via polssh1@protonmail.com. As said earlier, we do not advise doing so if you do not want to risk being scammed. In such a case, we recommend using the deletion instructions available below or employing a reliable antimalware tool that would remove BURAN Ransomware for you.

Get rid of BURAN Ransomware

1. Tap Ctrl+Alt+Delete.
2. Pick Task Manager.
3. Select the Processes tab.
4. Look for a process associated with the malware.
5. Select the process and click End Task.
6. Leave Task Manager.
7. Tap Win+E.
8. Go to these locations:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
9. Find suspicious files that could belong to the threat, right-click them, and select Delete.
10. Navigate to this location: %APPDATA%\microsoft\windows
11. Search for a couple of executable files with random titles, e.g., lsass.exe; right-click them and select Delete.
12. Both Microsoft and Windows directories should not be located in %APPDATA%, so you should remove them too.
13. Locate files named !!! YOUR FILES ARE ENCRYPTED !!!.TXT, right-click them, and select Delete.
14. Close File Explorer.
15. Empty Recycle Bin.
16. Restart the computer.