Origin: Early 2021
Alias: Baby, Vasa locker, Babuk locker, Babuklocker
Infection Vectors: Spam-emails, Phishing
Attack Sector: Healthcare, Manufacturing, Logistics, Electronics, Agricultural
Targeted Region: Eastern and Western Europe, North America, Southern Asia
Motive: Data theft, Financial gains (Ransom)
Threat Level: High
Babuk, aka ‘Babyk’ and initially ‘Vasa Locker,’ is a Russian-speaking ransomware gang that made its first appearance in January 2021. Originally, the group operated as Ransomware-as-a-Service (RaaS) in its early days, where it earned a bad name on cybercriminal forums because of a lower rate offered to affiliates as compared to other RaaS groups. Even though the malware first appeared at the beginning of this year, posts about Babuk were spotted much earlier on an underground forum. The posts were made under the username Biba99, which has been active since August 26, 2020. Typically, most of the ransomware are advertised on Russian-speaking forums but this one was first promoted on an English-speaking forum and then on both. The gang came to the limelight after targeting Washington DC’s Metropolitan Police Department (MPD) but, it soon realized its mistake of targeting a law enforcement authority. Babuk operators announced their retirement and claimed to shut down operations. However, it didn’t end there and the claim turned out to be a hoax as actors made a comeback. Today, the group appears to be more focused on demanding ransom for stolen information from target entities instead of encrypting data and then demanding ransom for recovery of files.
Targets and Tactics
Babuk targeted its first set of victims in January 2021 via double-extortion tactics and compromised at least five companies. However, its leak site listed only two companies, indicating other victims must have opted to pay the ransom. As per the report, one of the victims paid $85,000 to the gang after negotiations. To date, its targeted victims include Serco (the U.K.), Belgian Armed Forces, European Space Agency, PDI Group, Washington D.C. Police, Houston Rockets (the U.S.), YposKesi SAS, and Yamabiko (Japan), and the Phone House Spain. Besides targeting government and private organizations, the Babuk ransomware operators made racial statements against BlackLivesMatter and LGBT community campaigns.
As for the infection vectors, the attackers first compromise user accounts on the targeted systems with existing vulnerability exploits or using a phishing attack. After gaining access to the targeted system, the ransomware attempts to steal a set of sensitive data and looks for any possibility of lateral movement. The ransomware has support for the command line operation and features three built-in commands to spread itself and encrypt the network resources. After infecting a system, it looks for a predefined list running of services and processes to kill them and avoid detection. Moreover, this ransomware does not have local language checks, unlike other ransomware gangs that avoid specific countries. Additionally, the malware is distributed to a limited set of targets, which hints at its independent operations without any allies.
In May, Babuk came up with a new forum on the dark web that acted as a meeting and information sharing platform for ransom gangs and access brokers. In July, a spammer bombarded the Babuk forum with gay orgy porn GIFs after the gang denied paying the ransom demand of $5,000 to them. In the same month, the group performed live beta testing on its victims, leaving some of their systems encrypted beyond repair.
At the end of April, just after stealing roughly around 250GB of data from the networks of the DC Police, Babuk operators announced their exit from the encryption business only to shift their focus on data theft-related extortion activities. Barely a couple of weeks later, the group announced to abandon the data-based extortion model and switch to encryption-based extortion tactics. Another crucial moment for the group arrived in June when the builder for the Babuk ransomware was leaked online by unknown miscreants and dumped publically on the portal of VirusTotal in the following month. It was now available to all security vendors/competitors and was also ready to be exploited by cybercriminals aspiring to create their custom ransomware variants. An instance of the leaked Babuk builder being exploited by another threat actor was also observed later in July. But, before that, operators had launched its new and huge leak site——PayLoad Bin—purportedly to name and shame organizations who refused to cough up a ransom.
At present, Babuk no longer encrypts information on networks, instead, it is focused on stealing information from the targeted victims and demanding ransom for it.
Babuk is a new ransomware threat that first appeared in January and within a few months, it made its name among the most notorious ransomware groups. Since its return, it has gained more visibility by aggressively advertising itself on underground forums. In terms of tactics, its encryption function does not differ much from other ransomware groups. Over time, the ransomware group has become successful in creating mayhem by releasing new variants and working on improving its attack mechanisms.
Indicators of Compromise
How To Restore Your Files.txt
DECR.TXT (Early ‘Vasa Locker’ version)
Encrypted Files Extension
Ransom Demanding Message
How To Restore Your Files[.]txt
BTC Wallet Address
Cyber Criminal Contact
Rich PE header hash abc33010b8ae773d56322b76c9f81a0b
PayloadBin (June 2021)