Share Blog Post
Origin: Early 2021
Alias: Baby, Vasa locker, Babuk locker, Babuklocker
Infection Vectors: Spam-emails, Phishing
Targeted Sectors: Healthcare, Manufacturing, Logistics, Electronics, Agricultural
Targeted Regions: Eastern and Western Europe, North America, Southern Asia
Motive: Data theft, Financial gains (Ransom)
Threat Level: High
The Summary
Babuk, aka ‘Babyk’ and initially ‘Vasa Locker,’ is a Russian-speaking ransomware gang that made its first appearance in January 2021. Originally, the group operated as Ransomware-as-a-Service (RaaS) in its early days, where it earned a bad name on cybercriminal forums because of a lower rate offered to affiliates as compared to other RaaS groups. Even though the malware first appeared at the beginning of this year, posts about Babuk were spotted much earlier on an underground forum. The posts were made under the username Biba99, which has been active since August 26, 2020. Typically, most of the ransomware are advertised on Russian-speaking forums but this one was first promoted on an English-speaking forum and then on both.
The gang came to the limelight after targeting Washington DC’s Metropolitan Police Department (MPD) but, it soon realized its mistake of targeting a law enforcement authority. Babuk operators announced their retirement and claimed to shut down operations. However, it didn’t end there and the claim turned out to be a hoax as actors made a comeback. Today, the group appears to be more focused on demanding ransom for stolen information from target entities instead of encrypting data and then demanding ransom for recovery of files.
Targets and Tactics
Babuk targeted its first set of victims in January 2021 via double-extortion tactics and compromised at least five companies. However, its leak site listed only two companies, indicating other victims must have opted to pay the ransom. As per the report, one of the victims paid $85,000 to the gang after negotiations.
To date, its targeted victims include Serco (the U.K.), Belgian Armed Forces, European Space Agency, PDI Group, Washington D.C. Police, Houston Rockets (the U.S.), YposKesi SAS, and Yamabiko (Japan), and the Phone House Spain. Besides targeting government and private organizations, the Babuk ransomware operators made racial statements against BlackLivesMatter and LGBT community campaigns.
As for the infection vectors, the attackers first compromise user accounts on the targeted systems with existing vulnerability exploits or using a phishing attack. After gaining access to the targeted system, the ransomware attempts to steal a set of sensitive data and looks for any possibility of lateral movement. The ransomware has support for the command line operation and features three built-in commands to spread itself and encrypt the network resources. After infecting a system, it looks for a predefined list running of services and processes to kill them and avoid detection. Moreover, this ransomware does not have local language checks, unlike other ransomware gangs that avoid specific countries. Additionally, the malware is distributed to a limited set of targets, which hints at its independent operations without any allies.
In May, Babuk came up with a new forum on the dark web that acted as a meeting and information sharing platform for ransom gangs and access brokers. In July, a spammer bombarded the Babuk forum with gay orgy porn GIFs after the gang denied paying the ransom demand of $5,000 to them. In the same month, the group performed live beta testing on its victims, leaving some of their systems encrypted beyond repair.
Watershed Moments
At the end of April, just after stealing roughly around 250GB of data from the networks of the DC Police, Babuk operators announced their exit from the encryption business only to shift their focus on data theft-related extortion activities. Barely a couple of weeks later, the group announced to abandon the data-based extortion model and switch to encryption-based extortion tactics.
Another crucial moment for the group arrived in June when the builder for the Babuk ransomware was leaked online by unknown miscreants and dumped publically on the portal of VirusTotal in the following month. It was now available to all security vendors/competitors and was also ready to be exploited by cybercriminals aspiring to create their custom ransomware variants. An instance of the leaked Babuk builder being exploited by another threat actor was also observed later in July. But, before that, operators had launched its new and huge leak site——PayLoad Bin—purportedly to name and shame organizations who refused to cough up a ransom.
At present, Babuk no longer encrypts information on networks, instead, it is focused on stealing information from the targeted victims and demanding ransom for it.
Conclusion
Babuk is a new ransomware threat that first appeared in January and within a few months, it made its name among the most notorious ransomware groups. Since its return, it has gained more visibility by aggressively advertising itself on underground forums. In terms of tactics, its encryption function does not differ much from other ransomware groups. Over time, the ransomware group has become successful in creating mayhem by releasing new variants and working on improving its attack mechanisms.
Indicators of Compromise
Filename
crypto[.]exe
How To Restore Your Files.txt
%appdata%\\ecdh_pub_k.bin
DECR.TXT (Early ‘Vasa Locker’ version)
Babuk_nas.bin
e_nas_arm.out
d_nas_arm.out
d_nas_x86.out
d_win.bin
e_esxi.out
e_nas_x86.out
e_win.bin
builder.exe
d_esxi.out
Encrypted Files Extension
.babyk
Ransom Demanding Message
How To Restore Your Files[.]txt
Ransom Amount
0.006 BTC
BTC Wallet Address
1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i
Cyber Criminal Contact
babuckransom@tutanota[.]com
babukrip@protonmail.com
Vhash
035056755d15551az9dnz2ez2
Authentihash
b7bf73151481c5b68337345779e73f5bd6e34689ff9160ca9459a062dd1b1301
Imphash
b678a05c216e0e78b385602dd31274de
Rich PE header hash abc33010b8ae773d56322b76c9f81a0b
SSDEEP 6144:mNNxw8FOMIByyL7bV27npgifHlCDgqxKLY3m0Zt8FZD:mSUlyLV27nPfHlCVIcWS8F
TLSH T187647D00B790C035FAF326F44AB993ADA53D7EE19B2451CB62D52AEE56316E0EC30717
PayloadBin (June 2021)
File name
PAYLOADBIN-README[.]txt
File Extension
.PAYLOADBIN
.__NIST_K571__
.babyk
MD5
75a6690d9a4a89bd0cf6ceebcffd3c41
be76ed428523b9aefe706aeaa72bb6b2
8b9a0b44b738c7884e6a14f4cb18afff
e25e078255b56b47897ac96a7842de92
64f7ac45f930fe0ae05f6a6102ddb511
dd7f88a68a76acc0be9eb0515d54a82a
e10713a4a5f635767dcd54d609bed977
67e49cfcd12103b5ef2f9f331f092dbe
9478050023c7f8668df4fc39b0ddd79c
SHA-1
678ddaaaa14fcd7b90bfa2b673221378e032fdbf
b040f2bdee3999aad415396f9f79e43b2aa9452b
9d9c33493aa0e1a12efe472e7cfc74bebec9a270
21febfb36da69c8a611a9eaee5cc826cfd5684d7
499c21991aecc205fd9c64784909d94eb34a9a71
ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b
320d799beef673a98481757b2ff7e3463ce67916
72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4
7925725cfb04d796f497e5142cba62860fbf87a9
SHA-256
c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24
afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320
1b9412ca5e9deb29aeaa37be05ae8d0a8a636c12fdff8c17032aa017f6075c02
550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053
3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
ef326291febe84d6b39d2e5cea7e99a02407892729d688c27dcc444a2ae0b544
8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
ef326291febe84d6b39d2e5cea7e99a02407892729d688c27dcc444a2ae0b544
3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
1b9412ca5e9deb29aeaa37be05ae8d0a8a636c12fdff8c17032aa017f6075c02
8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
c5167053129bd4a5542cfef9e739b0443e22e184cb4c0b57c049b448f030cf15
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
8c6f768c90103857c59f031fb043d314db6a7371908a1f45bc2e86cf2ad68268
8daf429bb21285cfcf24dcc4797501ee3d4daf73364055ee5b002492ad55a3e1
e505b24de50b14aed35cf40725dc0185cab06fed90269d445ec7a4b36de124b6
e8cee8eab4020e1aadd4631ed626ab54d8733f8b14d683ca943cd4e124eeef55
E43462670c467d4899ce61e2d202d93049499b10fcaaf05d98d53616567a4276
e8cee8eab4020e1aadd4631ed626ab54d8733f8b14d683ca943cd4e124eeef55
e8cee8eab4020e1aadd4631ed626ab54d8733f8b14d683ca943cd4e124eeef55
2cd6d4a52dbaf9e79d93492ad73dc229e06d0cee9e3327cc3bef165fae06f918
51fe57795105eb1e618d35bd99fcc096ee3687455cd4e330396c0d701bc3a6a1
eb22f22fedb24ef3d06d2ba6ac9bc53528f8d1e489fefeac9501b926a0be6097
dc90560d7198bf824b65ba2cfbe403d84d38113f41a1aa2f37f8d827fd9e0ceb
e505b24de50b14aed35cf40725dc0185cab06fed90269d445ec7a4b36de124b6
ea95f131bd9b49104d9e7ae83335254549ded9d71d557c6e4746740aecca2c85
4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af
930760c00de1b9a4bc2eefcd96173f1e9a906b11a9566c517fcb87a13acaa327
bc4066c3b8d2bb4af593ced9905d1c9c78fff5b10ab8dbed7f45da913fb2d748
391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e
Tags
Posted on: September 09, 2021
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
