05 July 2021  —  Acronis

Threat analysis: Babuk ransomware

Acronis
Acronis Cyber Protect Cloud
for service providers

Summary

  • Responsible for attacks on at least five major organizations, including the recently compromised Washington D.C. Police Department
  • Targets victims on both Windows and Linux platforms
  • The Babuk gang claims that their attacks are a ‘security audit’ of corporate networks, and after successful strikes they request payment for their ‘services’
  • The group is currently targeting the transportation, healthcare, plastic surgery, electronics, and agricultural sectors across multiple geographies
  • They do not attack hospitals, non-profit foundations, schools (except for major universities), or SMBs with annual revenue of less than $4 million
  • For file encryption, HC-128/ChaCha8 symmetric encryption algorithms are used
  • For file key encryption, Elliptic-curve Diffie–Hellman (ECDH) is used, which makes it impossible to get the file key for decryption without the private key owned by criminals
  • Recently, the Babuk group claimed that they are going to quite RaaS cryptolocking and focus on data-theft extortion

On May 13, 2021, the Babuk authors published 250 GB of data stolen from the Washington D.C. Police Department, suggesting that their ransom demands were not met.

Attack vectors

The Babuk group hires hackers with knowledge of pentesting tools — including winPEAS, Bloodhound, and SharpHound — or hacking frameworks such as CobaltStrike, Metasploit, Empire, or Covenant to run targeted attacks on big enterprises.

Execution

To check its running copies, Babuk sets a mutex named ‘DoYouWantToHaveSexWithCuongDong’. This is a reference to the researcher Chuong Dong, who analyzed previous versions of the Babuk ransomware.

Babuk terminates the following processes of databases and office applications to release files for encryption:

sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe

The ransomware stops the following backup and anti-malware services:

vss

sql

svc$

memtas

mepocs

sophos

veeam

backup

GxVss

GxBlr

GxFWD

GxCVD

GxCIMgr

DefWatch

ccEvtMgr

ccSetMgr

SavRoam

RTVscan

QBFCService

QBIDPService

Intuit.QuickBooks.FCS

QBCFMonitorService

YooBackup

YooIT

zhudongfangyu

sophos

stc_raw_agent

VSNAPVSS

VeeamTransportSvc

VeeamDeploymentService

VeeamNFSSvc

veeam

PDVFSService

BackupExecVSSProvider

BackupExecAgentAccelerator

BackupExecAgentBrowser

BackupExecDiveciMediaService

BackupExecJobEngine

BackupExecManagementService

BackupExecRPCService

AcrSch2Svc

AcronisAgent

CASAD2DWebSvc

CAARCUpdateSvc

Babuk skips the following files and folders:

AppData

Boot

Windows

Windows.old

Tor Browser

Internet Explorer

Google

Opera

Opera

Software

Mozilla

Mozilla

Firefox

$Recycle.Bin

ProgramData

All Users

autorun.inf

boot.ini

bootfont.bin

bootsect.bak

bootmgr

bootmgr.efi

bootmgfw.efi

desktop.ini

iconcache.db

ntldr

ntuser.dat

ntuser.dat.log

ntuser.ini

thumbs.db

Program Files

Program Files (x86)

It also deletes shadow copies of files:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

File encryption

The latest version of Babuk has switched to the HC-128 algorithm from ChaCha8 for file encryption. For file key encryption, the Elliptic-curve Diffie–Hellman (ECDH) scheme is used. The authors changed the elliptic curve from a Weierstrass curve K-571 to the more common Curve25519 for better performance.

Unfortunately, it’s impossible to get the file key for decryption without the private key, which is known only to the cybercriminals.

The ransomware adds a ‘.babyk’ extension to the encrypted files.

Babuk adds the following message at the end of the encrypted files: “choung dong looks like hot dog!!”

Ransom note

The ransom note contains contact information and links demonstrating proof of the attack through the Tor network. Victims are encouraged to click through for more information about their stolen data and how to pay for its decryption.

Data leak site

Babuk’s data leak site provides information about the group’s activities and preferred targets.

Detection by Acronis

Acronis’ Active Protection technology uses advanced, AI-driven behavioral analysis to successfully identify and stop Babuk attacks — as well as any other known or unknown cyberthreats. Backups are protected against tampering, and enable the automatic and rapid restoration of any encrypted files.

Conclusion

The Babuk ransomware employs an unbreakable encryption scheme that makes it impossible to recover files without a decryptor. According to information published on the data leak site, Babuk’s code has been given to another criminal group and will appear again under another name. The Babuk group will continue its criminal business with hacking and data exfiltration only.

IoCs

SHA256: 391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e

babuk.bin

Mutex: DoYouWantToHaveSexWithCuongDong

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.