Babuk ransomware

Johannesburg, 09 Mar 2021
Read time 5min 00sec

Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85 000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise. Using MVISION Insights, McAfee was able to plot the telemetry of targets, revealing that the group is currently targeting the transportation, healthcare, plastic, electronics and agricultural sectors across multiple geographies.

Infection map (source: MVISION Insights)
Infection map (source: MVISION Insights)

Coverage and protection advice

McAfee’s EPP solution covers Babuk ransomware with an array of prevention and detection techniques.

ENS ATP provides behavioural content focusing on proactively detecting the threat while also delivering known IOCs for both online and offline detections. For DAT-based detections, the family will be reported as Ransom-Babuk!<hash>. ENS ATP adds two additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviours and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat profile on this ransomware family that is updated when new and relevant information becomes available.

Initially, in our research, the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.

However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other ransomware as a service families.

In its recruitment posting, Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviours that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behaviour of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution (eg, ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).

Looking at other similar ransomware as a service families, we have seen that certain entry vectors are quite common among ransomware criminals:

  • E-mail Spearphishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing e-mail can also be linked to a different malware strain, which acts as a loader and entry point for the ransomware gangs to continue completely compromising a victim’s network. We have observed this in the past with Trickbot and Ryuk, Emotet and Prolock, etc.
  • Exploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organisations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, Web servers, network edge equipment and firewalls have been used as an entry point.
  • Using valid accounts (T1078) is and has been a proven method for cyber criminals to gain a foothold. After all, why break the door if you have the keys? Weakly protected remote desktop protocol (RDP) access is a prime example of this entry method. For the best tips on RDP security, we would like to highlight our blog explaining RDP security.
  • Valid accounts can also be obtained via commodity malware such as infostealers, which are designed to steal credentials from a victim’s computer. Infostealer logs containing thousands of credentials are purchased by ransomware criminals to search for VPN and corporate logins. As an organisation, robust credential management and multi-factor authentication on user accounts is an absolute must have.

When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.

Summary of the threat

  • Babuk ransomware is a new ransomware family originally detected at the beginning of 2021.
  • Its operators adopted the same operating methods as other ransomware families and leaked the stolen data on a public Web site: hxxp://gtmx56k4hutn3ikv.onion/.
  • Babuk’s codebase and artefacts are highly similar to Vasa Locker’s.
  • Babuk advertises on both English-speaking and Russian-speaking forums, where it seems the former is used for announcements and the latter is focused on affiliate recruitment and ransomware updates.
  • The individuals behind Babuk ransomware have explicitly expressed themselves negatively against the BlackLivesMatter (BLM) and LGBT communities.
  • At least five companies have been breached as of 15 January 2021.
  • The ransomware supports command line operation and embeds three different built-in commands used to spread itself and encrypt network resources.
  • It checks the services and processes running so it can kill a predefined list and avoid detection.
  • There are no local language checks, in contrast to other ransomware gangs that normally spare devices in certain countries.
  • The most recent variant has been spotted packed.

Learn more about the inner working of Babuk, underground forum activity, Yara Rules, Indicators of Compromise & Mitre ATT&CK techniques used by reading our detailed technical analysis.

Learn more about the inner workings of Babuk, underground forum activity, Yara Rules, Indicators of Compromise & Mitre ATT&CK techniques used.

See also