Babuk ransomware targets five industries

Read time 2min 40sec

Babuk ransomware, discovered this year, is currently targeting the transportation, healthcare, plastic, electronics, and agricultural sectors across multiple geographies, and has impacted at least five major enterprises. One already ponied up a ransom of $85 000 after negotiations.

These were the findings of McAfee’s MVISION Insights. Researchers Alexandre Mundo, Thibault Seret, Thomas Roccia, John Fokker and Valentine Mairet, said that initially the entry vector and the complete tactics, techniques and procedures (TTPs) used by the threat actors behind Babuk remained unclear.

“However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other ransomware-as-a-service (RaaS) families,” they said. In addition, it leaked the stolen data on a public Web site.

Looking for pentest skills

The researchers warned that in its recruitment posting, Babuk specifically asks for individuals with penetration testing skills, so defenders should be on the lookout for traces and behaviours that correlate to open source penetration testing tools such as winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant.

In addition, they said to keep an eye out for anomalous behaviours of non-malicious tools that have a dual use, including those that can be employed for activities such as enumeration and execution, (ADfind, PSExec, PowerShell, and more).

Common entry vectors

When examining other similar RaaS families, the researchers noted that certain entry vectors are quite common among ransomware attackers. 

Firstly, e-mail spear phishing is often used to directly engage and/or gain an initial foothold. The original phishing e-mail can also be linked to a different malware strain, which acts as a loader and entry point for the criminals to continue compromising a victim’s network. These tactics have been observed with Trickbot, Ryuk, Emotet, Prolock, and others.

Why break the door if you have the keys? Weakly protected remote desktop protocol access is a prime example of this entry method.

Next, exploiting public-facing applications is another common method. Malefactors are avid consumers of security news and are always on the lookout for a good exploit, the researchers added, encouraging businesses to always apply patches as soon as possible.

Using valid accounts has been, and remains, a popular way for criminals to gain entry. “After all, why break the door if you have the keys? Weakly protected remote desktop protocol access is a prime example of this entry method.”

Valid accounts can also be obtained via commodity malware, such as infostealers, that are designed to steal credentials from a target’s machine. Infostealer logs containing thousands of credentials are bought by the crooks behind ransomware to search for VPN and corporate logins.

Better than cure

For any company, robust credential management and multi-factor authentication on user accounts is an absolute must-have, they advised.

“When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback,” the researchers concluded.

See also