bufas

[Content by Gemini 2.5]

#

Community Ransomware Brief – “BUFAS” Family (extension .bufas)

#

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: All encrypted files receive the .bufas suffix appended to the original name.
  • Renaming Convention: Files in every folder are renamed exactly as follows:
    <original_name>.<original_extension>.bufas
    The offender does NOT replace directories, volumes, or the system Registry; it simply tacks “.bufas” to the end of every encrypted file’s path.

2. Detection & Outbreak Timeline

  • Approximate Start Date: Mass samples first observed in April 2019. Surge activity continued through mid-2020 and smaller waves re-appear irregularly (likely due to continued indiscriminate distribution of RIG exploit kit payloads and cracked software lures).

3. Primary Attack Vectors

  • Phishing e-mails masquerading as receipts or invoices and containing .zip → .js or .vbs droppers.
  • Rig Exploit Kit (EK) drive-by downloads served via compromised advertising networks (malvertising).
  • Cracked software / Keygen bundles on torrents and Direct Download sites (eBooks, software tools, games).
  • Brute-force or purchase of previously stolen credentials for Remote Desktop Protocol (RDP) ports exposed to the Internet (common port 3389).
  • Living-off-the-land tactics once inside: Uses built-in PowerShell encryption libraries, mounts network shares, and deletes volume shadow copies via vssadmin.

Remediation & Recovery Strategies:

1. Prevention

  1. Disable SMB v1 (unless explicitly required) and patch against EternalBlue (MS17-010, March 2017 onward).
  2. Harden RDP: block port 3389 on perimeter firewalls, enforce Network Level Authentication (NLA), and only use IP-address whitelisting + VPN access.
  3. Patch browsers, Adobe Flash, and any enterprise Java installations. Malvertising via Rig EK chains heavily abused Flash/Java vulnerabilities in 2019.
  4. E-mail hygiene: consider a mail-gateway solution that strips .js/.vbs/.exe or macro-enabled Office docs from external senders.
  5. Principle of least privilege: give local accounts standard user rights; disable local administrator accounts; enable UAC to the highest setting.
  6. Pro-active backups: nightly incremental plus weekly full backups stored offline/off-site and tested for restore.

2. Removal

  1. Physically disconnect/quarantine the host from the network to limit lateral spread.
  2. Boot into Windows Safe Mode with Networking.
  3. Run a reputable AV/EDR tool with updated signatures (Avast/AVG, Kaspersky, Defender Offline, Emsisoft Emergency Kit). BUFAS is well-detected as:
  • Gen:Variant.Ransom.Stop
  • Trojan:Win64/STOP.A
  • Ransom:Win32/Stopcrypt
  1. Manually delete:
  • %LOCALAPPDATA%\subfolder {random-letters} containing the dropped .exe (release.dll)
  • Scheduled tasks created to re-launch update.tmp or updatewin.exe
  • Any suspected persistence keys in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and …\Windows\System32\Tasks.
  1. Reboot into a clean Windows environment and observe; AV should remain 0 detections before any attempt at decryption.

3. File Decryption & Recovery

  • Recovery Feasibility: BUFAS belongs to the STOP/Djvu ransomware family.
    – If the encryption was affected by an “offline” key, Emsisoft’s public STOP-djvu decryptor (v.1.0.0.1 and newer) will restore files.
    – If the encryption used a random “online” key, the decryptor cannot brute-force it and recovery is only possible from backups.
    Emsisoft tests automatically and gives you a definitive “offline key” or “online key” result.
  • Essential Tools:
  • Emsisoft STOP-djvu decryption utility: https://decrypter.emsisoft.com/STOP-Djvu
  • Emergency offline boot images (Microsoft Defender Offline or a Linux LiveUSB) if the system cannot boot infected OS.

4. Other Critical Information

  • Unique Characteristics:
  • Bundles a secondary adware payload (AdWare.Win32.Cinerepon) that silently redirects browser searches post-encry- ption, giving attackers residual monetization.
  • Creates a 5 MB C2 beacon file in C:\bootBoard.dat that is usually flagged by basic AV but often missed in incident response heat-of-battle.
  • Broader Impact:
  • Initially treated as only a small threat vector, BUFAS-linked variants have since surpassed 100,000 confirmed victims worldwide by 2024 according to ID-Ransomware uploads.
  • Heavy overlap with DJVU variations (.GEFEST, .DERZKO, .HOFOS) – once an enterprise sees BUFAS, expect additional offenders from the same campaign blanket-spraying alternate extensions.

Remember: test every decrypted file and backup immediately; run a full AV/EDR scan after restore. Stay patched and back up—and you will never be at the mercy of BUFAS or its descendants.