‘Babuk Locker’ Emerges as one of 2021’s First Ransomware Strains
One of the first ransomware strains unique to 2021 has been discovered. Dubbed ‘Babuk Locker’ by researchers, it has already compromised five companies thus far. Chuong Dong, a computer science student at Georgia Tech, first noticed the ransomware in a tweet by a security researcher, “Arkbird.” After some investigation, Dong then discovered information about Babuk on popular internet forum, RapidForums, which is used to share databases of breaches and leaks. The five compromised companies range from a medical testing products manufacturer to a HVAC-R company based in the United States; at least one of these companies has agreed to pay a ransom of $85,000.
The ransomware is delivered in the formed of a 32-bit .EXE file which lacks obfuscation. Researchers have not discovered the delivery mechanism used to spread the ransomware, although it is likely that a form of social engineering is used. After infection, Babuk contains a hard-coded list of services and processes to be closed before encryption. These include various system-monitoring services, including BackupExecVSSProvider, YooBackup and BackupExecDiveciMediaService.
The ransomware then attempts to delete shadow copies before and after encryption. Shadow copies are unique to Microsoft Windows and are used to create backup copies or snapshots of various files. Unique to Babuk, the ransomware uses its own implementation of SHA hashing, ChaCha8 encryption and the Elliptic-curve Diffie-Hellman (ECDH) key generation and exchange algorithm to encrypt files in the attack, thus making it near impossible for victims to recover their files.
Interesting to note is the process in which the ransomware use recursion for traversing files to then encrypt. The process starts with a thread at the highest directory, often the C:// drive, which, in the main encrypting function, will then go through each item in the parent directory. If it finds a file, it encrypts it. If a new directory is found, the process will call the main encrypting function again with that directory as the parent directory to traverse that folder. This process continues for multiple layers until Babuk has crawled through every folder and file. Researchers note that this process of file traversing and encryption is a basic approach for ransomware authors, likely hinting that the authors behind Babuk are new to the ransomware scene.
Babuk also leverages Microsoft’s legitimate Windows Restart Manager feature, which enables users to shut down and restart all applications and services but leave critical ones untouched. The ransomware uses this feature to terminate any process that is using file, ensures that nothing will prevent the malware from opening and encrypting the files.
Once all files have been encrypted, Babuk’s ransom note tells victims their computers and servers are encrypted, and demands the victim contact them using a Tor browser.
Sources: