Summary
- Responsible for attacks on at least five major organizations, including the recently compromised Washington D.C. Police Department
- Targets victims on both Windows and Linux platforms
- The Babuk gang claims that their attacks are a ‘security audit’ of corporate networks, and after successful strikes they request payment for their ‘services’
- The group is currently targeting the transportation, healthcare, plastic surgery, electronics, and agricultural sectors across multiple geographies
- They do not attack hospitals, non-profit foundations, schools (except for major universities), or SMBs with annual revenue of less than $4 million
- For file encryption, HC-128/ChaCha8 symmetric encryption algorithms are used
- For file key encryption, Elliptic-curve Diffie–Hellman (ECDH) is used, which makes it impossible to get the file key for decryption without the private key owned by criminals
- Recently, the Babuk group claimed that they are going to quite RaaS cryptolocking and focus on data-theft extortion
On May 13, 2021, the Babuk authors published 250 GB of data stolen from the Washington D.C. Police Department, suggesting that their ransom demands were not met.
Attack vectors
The Babuk group hires hackers with knowledge of pentesting tools — including winPEAS, Bloodhound, and SharpHound — or hacking frameworks such as CobaltStrike, Metasploit, Empire, or Covenant to run targeted attacks on big enterprises.
Execution
To check its running copies, Babuk sets a mutex named ‘DoYouWantToHaveSexWithCuongDong’. This is a reference to the researcher Chuong Dong, who analyzed previous versions of the Babuk ransomware.
Babuk terminates the following processes of databases and office applications to release files for encryption:
sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe
The ransomware stops the following backup and anti-malware services:
vss
sql
svc$
memtas
mepocs
sophos
veeam
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
YooBackup
YooIT
zhudongfangyu
sophos
stc_raw_agent
VSNAPVSS
VeeamTransportSvc
VeeamDeploymentService
VeeamNFSSvc
veeam
PDVFSService
BackupExecVSSProvider
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc
Babuk skips the following files and folders:
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Opera
Opera
Software
Mozilla
Mozilla
Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
It also deletes shadow copies of files:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
File encryption
The latest version of Babuk has switched to the HC-128 algorithm from ChaCha8 for file encryption. For file key encryption, the Elliptic-curve Diffie–Hellman (ECDH) scheme is used. The authors changed the elliptic curve from a Weierstrass curve K-571 to the more common Curve25519 for better performance.
Unfortunately, it’s impossible to get the file key for decryption without the private key, which is known only to the cybercriminals.
The ransomware adds a ‘.babyk’ extension to the encrypted files.
Babuk adds the following message at the end of the encrypted files: “choung dong looks like hot dog!!”
Ransom note
The ransom note contains contact information and links demonstrating proof of the attack through the Tor network. Victims are encouraged to click through for more information about their stolen data and how to pay for its decryption.
Data leak site
Babuk’s data leak site provides information about the group’s activities and preferred targets.
Detection by Acronis
Acronis’ Active Protection technology uses advanced, AI-driven behavioral analysis to successfully identify and stop Babuk attacks — as well as any other known or unknown cyberthreats. Backups are protected against tampering, and enable the automatic and rapid restoration of any encrypted files.
Conclusion
The Babuk ransomware employs an unbreakable encryption scheme that makes it impossible to recover files without a decryptor. According to information published on the data leak site, Babuk’s code has been given to another criminal group and will appear again under another name. The Babuk group will continue its criminal business with hacking and data exfiltration only.
IoCs
SHA256: 391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e
babuk.bin
Mutex: DoYouWantToHaveSexWithCuongDong
About Acronis
A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.