2021 starts with new ransomware. Called Babuk Locker, the ransomware was discovered by researcher Chuong Dong. The ransomware has attacked a small number of enterprise victims. Ransom demanded by Babuk Locker criminals varies between $60,000 and $85,000 in Bitcoin.
“Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all,” says Dong in his report. The researcher also describes the ransomware as “standard,” using some new techniques such as multi-threading encryption and exploiting Windows Restart Manager like the REvil and Conti gangs.
Babuk Locker Encryption
According to Dong’s reverse engineering analysis, the ransomware utilizes its own implementation of SHA256 hashing combined with ChaCha8 encryption, Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm. The purpose of this encryption scheme is to protect the ransomware’s keys and encrypt files. “Despite the amateur coding practices used, its strong encryption scheme that utilizes Elliptic-curve Diffie–Hellman algorithm has proven effective in attacking a lot of companies so far,” the researcher adds.
The ransomware is targeting large corporations rather than individual users.
Babuk can also spread its encryption by enumerating the available network resources, also seen in other ransomware attacks. It is noteworthy that the threat authors use one private key for each Babuk sample, meaning that they mainly target large corporations.
“So far, according to the website embedded in the ransom note as well as the leaks on Raidforums, they have successfully compromised Sabelt, BOCA group, Spiratex, and Mecol,” the report notes.
Babuk Ransomware Technical Details
Upon encryption, the ransomware uses a hardcoded extension that is appended to each encrypted file. The current extension is .__NIST_K571__, as seen in current victims. The ransom note is named “How To Restore Your Files.txt” and created in each folder on the compromised system. Typically, the contents of the ransom note point victims to a Tor site where a ransom is negotiated.
In terms of the above screenshot, Dong finds it rather unprofessional that the cybercriminals didn’t remove their chat log with the Sabelt company. The victimized company is an Italian manufacturer of car seats, seat belts, motorsport products, and seatbelts for military, aviation, and aerospace applications.
Other researchers report that the Babuk Locker operators are leaking data stolen from their victims to a hacker forum. One of the attacked enterprises has paid a ransom in the amount of $85,000.
We will keep an eye on the development of this new ransomware campaign. Hopefully, it will be ended before it damages more enterprises.
A report from September, 2019 revealed the vulnerabilities ransomware operators mostly use in attacks against organizations. 35% of the flaws deployed in the attacks were old, from 2015 or earlier, such as the WannaCry vulnerabilities.