- Responsible for attacks on at least five major organizations, including the recently compromised Washington D.C. Police Department
- Targets victims on both Windows and Linux platforms
- The Babuk gang claims that their attacks are a ‘security audit’ of corporate networks, and after successful strikes they request payment for their ‘services’
- The group is currently targeting the transportation, healthcare, plastic surgery, electronics, and agricultural sectors across multiple geographies
- They do not attack hospitals, non-profit foundations, schools (except for major universities), or SMBs with annual revenue of less than $4 million
- For file encryption, HC-128/ChaCha8 symmetric encryption algorithms are used
- For file key encryption, Elliptic-curve Diffie–Hellman (ECDH) is used, which makes it impossible to get the file key for decryption without the private key owned by criminals
- Recently, the Babuk group claimed that they are going to quite RaaS cryptolocking and focus on data-theft extortion
On May 13, 2021, the Babuk authors published 250 GB of data stolen from the Washington D.C. Police Department, suggesting that their ransom demands were not met.
The Babuk group hires hackers with knowledge of pentesting tools — including winPEAS, Bloodhound, and SharpHound — or hacking frameworks such as CobaltStrike, Metasploit, Empire, or Covenant to run targeted attacks on big enterprises.
To check its running copies, Babuk sets a mutex named ‘DoYouWantToHaveSexWithCuongDong’. This is a reference to the researcher Chuong Dong, who analyzed previous versions of the Babuk ransomware.
Babuk terminates the following processes of databases and office applications to release files for encryption:
sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe
The ransomware stops the following backup and anti-malware services:
Babuk skips the following files and folders:
Program Files (x86)
It also deletes shadow copies of files:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
The latest version of Babuk has switched to the HC-128 algorithm from ChaCha8 for file encryption. For file key encryption, the Elliptic-curve Diffie–Hellman (ECDH) scheme is used. The authors changed the elliptic curve from a Weierstrass curve K-571 to the more common Curve25519 for better performance.
Unfortunately, it’s impossible to get the file key for decryption without the private key, which is known only to the cybercriminals.
The ransomware adds a ‘.babyk’ extension to the encrypted files.
Babuk adds the following message at the end of the encrypted files: “choung dong looks like hot dog!!”
The ransom note contains contact information and links demonstrating proof of the attack through the Tor network. Victims are encouraged to click through for more information about their stolen data and how to pay for its decryption.
Data leak site
Babuk’s data leak site provides information about the group’s activities and preferred targets.
Detection by Acronis
Acronis’ Active Protection technology uses advanced, AI-driven behavioral analysis to successfully identify and stop Babuk attacks — as well as any other known or unknown cyberthreats. Backups are protected against tampering, and enable the automatic and rapid restoration of any encrypted files.
The Babuk ransomware employs an unbreakable encryption scheme that makes it impossible to recover files without a decryptor. According to information published on the data leak site, Babuk’s code has been given to another criminal group and will appear again under another name. The Babuk group will continue its criminal business with hacking and data exfiltration only.
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 2,000 employees in 45 locations. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by 18,000 service providers to protect over 750,000 businesses.