Click on screenshot to zoom
Danger level 8
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

BURAN Ransomware

BURAN Ransomware is an infection that is already fully established. In fact, several different versions of it exist, and it is possible that new ones will emerge in the future. These new versions display unique messages – although the file representing them is always the same – and they can add unique extensions to the corrupted files also. Our research team has established that this malware derives from two other well-known threats, which are Jamper Ransomware, and the original Vega Ransomware, also known as VegaLocker Ransomware. While we do not know if the same attacker is behind all three of these threats, the code is definitely similar, and so that is a possibility. On the other hand, the code of this malware might have been sold to third parties, and every single version of BURAN could be linked to a new attacker as well. In any case, this malware must be deleted. If you continue reading, you will learn how to remove BURAN Ransomware manually or automatically.

It was found that BURAN Ransomware is spread with the help of the infamous RIG Exploit Kit. The attackers can exploit known Internet Explorer and Flash vulnerabilities using this kit, which is why it is crucial that the browser and Flash are updated. All vulnerabilities get patched up sooner or later, and if you run the latest version of the program or software, your chances of getting these vulnerabilities exploited drop significantly. We suggest updating IE and Flash even if BURAN Ransomware has already invaded your operating system. First, of course, you might want to figure out what to do about the encrypted files. According to our research team, this infection encrypts everything except for the files with these extensions: .buran, .cmd, .com, .cpl, .dll, .exe, .log, .msp, .msc, .pif, .scr, and .sys. That means that almost all system files remain whitelisted, but your personal files are encrypted. After encryption, you should find the “.buran” extension appended to the names of these files, but other extensions exist as well. These are composed of random letters and numbers, and can look something like this: “.9F9CF853-ED0D-F661-54F1-3761A306C6D1.”

A file named “!!! YOUR FILES ARE ENCRYPTED !!!.TXT” is also created after encryption. Depending on the version of BURAN Ransomware, the text could be slightly changed, but the message is always the same. That message is that you need to purchase a private key if you want to have your files decrypted. One version of the “!!! YOUR FILES ARE ENCRYPTED !!!.TXT” message revealed that the ransom was $100, but other found versions of the note did not reveal the sum. However, all versions of the message instructed victims to send an email to the attackers. If you did that, you would get more information about the ransom, including how to pay it. A few of the email addresses that have been linked to the infection include,,,, and Do you understand that sending a message to cyber criminals from your real email account could be risky? That is because they could flood you with scam/spam emails in the future. That is not the only reason not to contact the attackers. Most likely, your efforts and your money would go to waste. This is why we do not focus on the ransom payment, but, instead, focus on removing BURAN Ransomware right away.

A free decryptor compatible with BURAN Ransomware does not exist at the moment. That means that you cannot use a third-party tool to restore your files. The decryptor created by the attackers has not been leaked either, and that is unlikely to happen. That means that your files might be encrypted permanently. You are lucky if backups exist, but if they do not, at the moment, there is no way out of the situation. We certainly do not recommend paying the ransom that the attackers promise to exchange for a decryptor. Do not fall for their promises, because they would tell you anything just to convince you that paying the ransom is the right move. Unfortunately, it looks like you might have to jump straight to the removal of the infection. Not all victims will be able to delete BURAN Ransomware manually, but that is okay because reliable anti-malware software can do it automatically. And you should install this software anyway if you want full-time protection against malware in the future.

BURAN Ransomware Removal

  1. Delete every copy of the file named !!! YOUR FILES ARE ENCRYPTED !!!.TXT.
  2. Launch Explorer by tapping keys Win+E.
  3. Enter %APPDATA%\Microsoft\Windows\ into the quick access field at the top.
  4. Delete the files named lsass.exe and ctfmon.exe.
  5. Enter %USERPROFILE%\Downloads into the field at the top.
  6. If suspicious files exist, Delete them right away.
  7. Enter %TEMP% into the field at the top and Delete suspicious files as well.
  8. Empty Recycle Bin and then immediately perform a full system scan. Use a legitimate malware scanner for this, and if you discover leftovers, eliminate them as well.
Download Spyware Removal Tool to Remove* BURAN Ransomware
  • Quick & tested solution for BURAN Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.