Subscribe
  • Home
  • /
  • Open Source
  • /
  • Babuk: Did they bite off more than they could chew when they aimed to encrypt VM and *nix systems?

Babuk: Did they bite off more than they could chew when they aimed to encrypt VM and *nix systems?

By Thibault Seret and Northwave’s Noël Keijzer

Johannesburg, 30 Jul 2021

Executive summary

For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the occasional dedicated Unix or Linux based ransomware, but cross-platform ransomware was not happening yet. However, cyber criminals never sleep and in recent months we noticed that several ransomware gangs were experimenting with writing their binaries in the cross-platform language Golang (Go).

Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/Unix and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualisation, think about the ESXi hosting several servers or the virtual desktop environment.

We touched on this briefly in our previous blog, together with the many coding mistakes the Babuk team is making.

Even though Babuk is relatively new to the scene, its affiliates have been aggressively infecting high-profile victims, despite numerous problems with the binary, which led to a situation in which files could not be retrieved, even if payment was made.

Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion.

Indeed, the design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable.

Coverage and protection advice

McAfee’s EPP solution covers Babuk ransomware with an array of prevention and detection techniques.

McAfee ENS ATP provides behavioural content focusing on proactively detecting the threat while also delivering known IOCs for both online and offline detections. For DAT-based detections, the family will be reported as Ransom-Babuk!. ENS ATP adds two additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviours and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.

Initially, in our research, the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.

However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other ransomware as a service families.

In its recruitment posting, Babuk specifically asks for individuals with pen-test skills, so defenders should be on the lookout for traces and behaviours that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behaviour of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution (eg, ADfind, PSExec, PowerShell, etc). We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).

Looking at other similar ransomware as a service families we have seen that certain entry vectors are quite common among ransomware criminals:

E-mail spear phishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing e-mail can also be linked to a different malware strain, which acts as a loader and entry point for the ransomware gangs to continue completely compromising a victim’s network. We have observed this in the past with Trickbot and Ryuk, Emotet and Prolock, etc.

Exploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organisations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, web servers, network edge equipment and firewalls have been used as an entry point.

Using valid accounts (T1078) is and has been a proven method for cyber criminals to gain a foothold. After all, why break the door if you have the keys? Weakly protected Remote Desktop Protocol (RDP) access is a prime example of this entry method. For the best tips on RDP security, we would like to highlight our blog explaining RDP security.

Valid accounts can also be obtained via commodity malware such as infostealers, which are designed to steal credentials from a victim’s computer. Infostealer logs containing thousands of credentials are purchased by ransomware criminals to search for VPN and corporate logins. As an organisation, robust credential management and multi-factor authentication on user accounts is an absolute must have.

When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.

Summary of the threat

A recent forum announcement indicates that the Babuk operators are now expressly targeting Linux/Unix systems, as well as ESXi and VMware systems.

Babuk is riddled with coding mistakes, making recovery of data impossible for some victims, even if they pay the ransom.

We believe these flaws in the ransomware have led the threat actor to move to data theft and extortion rather than encryption.

Learn more about how Babuk is transitioning away from an encryption/ransom model to one focused on pure data theft and extortion in our detailed technical analysis: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf

Share