Babuk is a new ransomware gang that emerged in early 2021. The gang’s initial mission statement referenced a non-malicious intent to conduct ransomware attacks as an apparent audit of the security of corporate networks. The reality of Babuk’s operations, however, does not align with this non-malicious intent, as the gang has exfiltrated sensitive data from organizations in law enforcement and others. This article analyzes Babuk’s operations, ransomware strain, and victims.
Babuk began operating a ransomware-as-a-service gang like higher-profile gangs such as DarkSide. Dark web forum posts written in both Russian and English indicate a Russian origin for Babuk. Advertisements posted on the dark web attempt to recruit affiliates with penetration testing skills who can use the Babuk ransomware strain to hack corporate networks and share a proportion of any ransom payment with Babuk’s leaders.
Further delving into the apparent benevolent nature of their intentions to “audit the security of large corporate networks”, the gang specified an unwillingness to attack hospitals, non-profits, and companies earning less than $4 million in annual revenue. This victim selectiveness demonstrates an attempt to make out that Babuk are the good guys, but the gang didn’t fool anybody in the security world, particularly when racist sentiments appeared on some forum posts made by the gang’s members.
The first point of note about Babuk’s ransomware is the relatively primitive, unsophisticated nature of its code. Security researchers who first spotted Babuk noted some technical errors in the binaries of the code, and they speculated these errors stemmed from attempting to create a cross-platform strain that infected Linux, Unix, and vmware systems. Encryption tends to perform slowly due to poor coding in Babuk ransomware. The decryption tool used by Babuk was so riddled with errors that encrypted files couldn’t be retrieved even if victims paid the ransom.
Typical Babuk ransomware attacks include tactics such as checking currently running processes on systems and killing those processes that can detect it. Babuk ransomware also destroys shadow volume copies of machine storage volumes. Encryption runs using the ChaCha algorithm, and victims can only get their files back if Babuk supplies a private key for decryption.
Large similarities exist between Babuk’s ransomware and that of another operation named Vasa Locker. These similarities stretch as far as almost identical ransom notes, the same file extension added to encrypted files, and the same encryption method.
Security researchers believe Babuk managed to successfully attack up to five large corporate networks so far. From these successful attacks, three victims are publicly known.
Washington DC Metropolitan Police Department
Any cyber attack managing to infiltrate the network of a police department rightly warrants attention. Babuk operators received global media attention in April and May 2021 when details emerged of a ransomware attack on the Washington, D.C. Metropolitan Police Department.
A dark web post on Babuk’s leak site claimed the gang managed to breach the police department’s IT network and exfiltrate 250 gigabytes of data. Babuk demanded a ransom payment of $4 million. After the police department refused to cough up the full amount, Babuk published the full trove of data on its leak website.
Published data included social security numbers belonging to members of the police department and lists of persons of interest kept on file by Washington D.C. Metro Police. Babuk referred to an offer of $100,000 made to the gang to avoid the publishing of stolen data, but this amount was too low. It’s unknown whether the incident resulted in locking down computer systems using Babuk’s ransomware strain or whether this was solely a data exfiltration attack.
Houston Rockets
The Houston Rockets are a team in the NBA (National Basketball Association). Babuk targeted this professional basketball team with its ransomware strain in April 2021. Statements made to the media at the time reported that ”internal tools prevented ransomware from being installed except for a few systems that have not impacted our operations.”
The relatively limited impact of the ransomware strain on Houston Rockets’ internal IT operations didn’t prevent this from being a severe attack, though. Following the news of the incident, Babuk claimed to have stolen 500 gigabytes of data belonging to the Houston Rockets. This data included highly sensitive documents, such as contracts and non-disclosure agreements. Modern ransomware gangs favor these double extortion attacks because they put added pressure on victims to pay up and ensure their sensitive information remains private.
Serco
Serco is a contractor used by the British government to deliver important services to citizens, such as management services at NHS hospitals, test and trace for Covid-19, and border security services. In January 2021, Serco confirmed it was hit by a double extortion ransomware attack orchestrated by the Babuk gang. This confirmation of the attack followed Babuk’s publicly claiming Serco as a victim three months previous.
The incident targeted Serco’s IT infrastructure in mainland Europe. The company entered negotiations with Babuk hackers, although it remains unclear whether any ransom payment exchanged hands. Organizations such as NATO and the Belgian military, with whom Serco was a contractor, sought assurances that their data remained secure and private. The ransom note indicated threat actors lurked inside Serco’s network for three weeks and exfiltrated up to one terabyte of data.
After a brief but damaging spell of operations, Babuk’s leaders signaled an intention to retire via a dark web post. This message spelled out that the Babuk project would be closed, and the ransomware’s source code made publicly available. Interestingly, the intention to cease operations came in the wake of media headlines about Babuk hacking the Washington D.C. Police Department. Perhaps the heat from law enforcement prompted a shutdown like how REvil vanished when the FBI closed in.
Following the shutdown, the media reported that one Babuk member said the gang split up after internal conflict emerged in the aftermath of the Washington Police incident. One member wanted to publish all the stolen data while others were reluctant due to the attention this would likely attract from more cyber-aware organizations like the FBI.
One month after the internal conflict began, several current Babuk members reestablished Babuk version 2. A dark web message posted in May 2021 clarified a realignment of operations away from classic ransomware attacks involving encryption to solely focus on data exfiltration.
In another interesting development, a member of the Babuk group eventually released the full source code for the ransomware strain on a Russian hacking forum in September 2021. Security researchers used this information to create a decryption tool for any Babuk victim to decrypt infected systems.
Babuk uses similar attack vectors as many other ransomware gangs to gain initial access to corporate IT networks. Email phishing campaigns containing malicious attachments, exploiting software vulnerabilities, and hacking remote desktop protocol (RDP) appear to be the three main initial modes of access. Preventing this initial access is critical in stopping ransomware attacks in their tracks before they lock down systems or manage to extort your sensitive data.
Here are some tips for defending against these 3 attack vectors:
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at: https://ironscales.com/get-a-demo/.