Last Updated on March 24, 2023 by Satyendra
Babuk ransomware was first detected in early 2021, although it is believed to have been in development for some time before that. The first attacks were aimed at corporate targets, particularly in the transportation and manufacturing sectors. The malware was designed to target Windows systems and used a variety of techniques to gain access to its victims’ networks. However, evidence suggests that UNIX variants have also been developed.
How Babuk Ransomware has Evolved
Since its initial discovery, Babuk ransomware has evolved significantly. One of the key changes has been the adoption of a “double extortion” tactic, where the attackers not only encrypt the victim’s files but also exfiltrate sensitive data from the victim’s network. The attackers then threaten to release this data publicly unless the ransom is paid.
The Babuk authors have also adopted the Ransomware-as-a-Service (RaaS) model. This means that the creators of Babuk ransomware are now offering it as a service to other criminal groups, who can then use it to launch their own attacks. This has led to an increase in the number of attacks using Babuk ransomware, as well as an increase in the sophistication of these attacks.
Techniques Used by Babuk Ransomware
Babuk ransomware uses a variety of techniques to infect its victims. One of the most common is phishing emails, where the attackers send an email that appears to be from a legitimate source but actually contains a malicious attachment or link. Once the victim clicks on the link or opens the attachment, the malware is downloaded onto their system. Babuk ransomware attacks will also try to exploit vulnerabilities in the victim’s system, which might include exploiting unpatched software or using brute force attacks to guess passwords.
Once Babuk ransomware has infected a system, it begins to encrypt the victim’s files using strong encryption algorithms. The attackers then demand payment in exchange for the decryption key. In addition to encrypting files, Babuk ransomware also has the ability to steal sensitive data from the victim’s network and threaten to release it publicly if the ransom is not paid.
The techniques mentioned above are commonly associated with the most recent strains of ransomware. Let’s take a closer look at Babuk’s codebase and tactics to understand the differences and similarities with other strains of ransomware.
Things to Know About Babuk Ransomware
Similarities with Vasa Locker
The codebase and artifacts of Babuk and Vasa Locker are highly similar, with around 86% of the code being shared. The ransom notes look quite similar, and the extension added to encrypted files are the same. Additionally, the same cryptographic method is used by both strains, and the process kill list and directories list are also the same.
Advertises on Both English and Russian Forums
Babuk advertises on both English and Russian forums, with the former used for announcements and the latter focused on affiliate recruitment and ransomware updates. This suggests that the group behind Babuk is targeting a global audience and is actively looking to recruit more affiliates to spread the ransomware.
Supports Command Line Operations
Babuk also supports command line operations and embeds three different built-in commands used to spread itself and encrypt network resources. It checks the services and processes running, so it can kill a predefined list and avoid detection.
No Local Language Checks
In contrast to other ransomware gangs that normally spare devices in certain countries, Babuk does not have any local language checks. This means that it does not discriminate based on geography and will attack any device it can access.
Limited Diffusion
Since Babuk ransomware has not been widely distributed, this may indicate that those behind it are not working within an organized group or with other partners.
Victims and Whitelisted Companies
Since January 15, 2021, at least 5 companies have been infected. However, only two companies so far have had their data published by those behind the Babuk ransomware. This may indicate that the other victims decided to pay the ransom to avoid having their data leaked. Evidence suggests that the group breached companies in the transport, healthcare, plastic, electronics, and agricultural sectors. However, Babuk states that it does not attack whitelisted hospitals, non-profits, schools, or companies with less than a certain amount of revenue.
Unix Variant of the Ransomware
There is also evidence to suggest that Babuk has prepared a Unix variant of the ransomware to target NAS, ESXi servers, or any other Unix system. This highlights the group’s willingness to expand its reach and target other platforms.
How Lepide Can Help Detect and Prevent the Spread of Babuk Ransomware
Babuk ransomware, as discussed, fundamentally operates in a very similar way to other strains of ransomware. Lepide’s ransomware protection solution enables customers to effectively detect, prevent, investigate, and respond to ransomware attacks.
Prevent Babuk Ransomware with Lepide
With Lepide, you can reduce your potential attack surface to limit the threat of Babuk ransomware. Identifying users that have excessive permissions, data open to all users, inactive users, and other misconfigurations in Active Directory, can help to mitigate risk from the outset.
Detect Babuk Ransomware with Lepide
There are multiple indicators of ransomware that Lepide is able to detect in real-time using pre-defined threat models, threshold alerts, and pre-defined reports. These indicators include changes in the behavior of a user/account, en-masse encryption events, permissions escalation, failed access attempts, and attempts to access large volumes of data.
Investigate Babuk Ransomware with Lepide
Once ransomware has been detected, Lepide can aid with the investigations with detailed audit reports. Lepide enables customers to identify the potential source of the threat without having to rely on event logs and see what data could be affected.
Respond to Babuk Ransomware with Lepide
Lepide can automate the response to ransomware attacks once they are detected through script execution. These responses can include shutting down the infected users, accounts, and more to contain the spread. Lepide can also instruct SIEM and SOAR platforms to engage as well. All of this can be done through a mobile app so that you can respond when away from your desk.
Conclusion
Babuk ransomware is a dangerous malware that has evolved significantly since its initial discovery in 2021. With its adoption of a double extortion tactic and RaaS model, Babuk ransomware has become a major threat to both individuals and organizations. It is important for individuals and organizations to take steps to protect themselves from Babuk ransomware and other types of malware, including keeping their software up to date, using strong passwords, and being wary of phishing emails.
If you’d like to see how the Lepide Data Security Platform can help to detect ransomware, schedule a demo with one of our engineers.