Home » Security Bloggers Network » Babuk Locker for the 2021

Babuk Locker for the 2021

by Felipe Ruiz on January 13, 2021

A new form of ransomware has emerged
to welcome the new year, 2021.
We’re referring to the Babuk Locker.
A malicious software
that is capable of encrypting some of your essential files
to deny you access to them,
and for which you should pay a ransom.
Chuong Dong,
a Computer Science student at Georgia Tech
interested in cybersecurity,
reported it on January 3rd, 2021.
(It seems that Dong saw Babuk mentioned in a tweet by Arkbird
and, linked to it,
finishing this post,
I found an earlier article in Russian by Amigo-A
published on January 1st, 2021.)

According to Dong,
this malware has not been obfuscated
(malware obfuscation
makes the data or code difficult to understand)
and is quite ‘standard,’
even amateurish in coding.
Besides,
it uses “techniques we see
such as multi-threading encryption
as well as abusing the Windows Restart Manager
similar to Conti and REvil”
(other forms of ransomware).
However,
this ransomware’s encryption scheme allows it to stand out,
being enough to prevent victims
from recovering their systems and files
efficiently and for free.

January

Photo by Glen Carrie on Unsplash.

Babuk Locker’s encryption scheme

The robust encryption scheme of Babuk Locker,
as stated by Dong,
includes “SHA256 hashing,
ChaCha8 encryption, and Elliptic-curve Diffie-Hellman (ECDH)
key generation and exchange algorithm.”
SHA256
(SHA: Secure Hash Algorithm)
is dedicated to generating a 256-bit (32-byte) hash value
(we already saw what a hash is
in my first post on Fluid Attacks' blog).
ChaCha8,
on the other hand,
is a stream cipher,
a better variant of Salsa20.
These ciphers
—both developed by professor Daniel J. Bernstein—
encrypt plaintext messages
(every bit of the message is encrypted one by one)
by applying an algorithm with a pseudorandom cipher digit stream
or a keystream.
Finally,
ECDH constitutes “a key agreement
protocol that allows two parties,
each having an elliptic-curve public-private key pair,
to establish a shared secret
over an insecure channel.”
Undoubtedly,
for many of us,
it is sufficient with this information
instead of going into encryption details.
Let’s keep an overview of this ransomware
currently occupying our attention.

Babuk Locker’s injection and operation

Babuk Locker appears as a 32-bit .exe file
(i.e., “BABUK.exe“,
at least at first),
but,
as reported by O’Donnell in Threatpost,
it is not clear
how this malware “is initially spread to victims.”
It seems, though,
that the vehicle of infection,
in this case,
may not be far from the typical phishing
“similar to other ransomware groups’ approaches,”
said Dong.
Indeed,
for his part,
Brendan Smith in Howtofix
talks about only two forms of Babuk injection:
email spam and trojans.

When the threat actors launch Babuk Locker,
they can employ “a command-line argument
to control how the ransomware should encrypt network shares
and whether they should be encrypted before the local file system,”
notes Abrams in BleepingComputer.
Babuk,
following an assigned list,
can close or terminate a wide variety of Windows support services
(e.g., system-monitoring services)
and running processes
(e.g., Office apps, mail servers, and web browsers)
before encryption.
Snuffing out these services and processes is something necessary
for successful encryption by the malware.
Additionally,
Babuk tries to remove shadow copies
(i.e., backup copies or snapshots of files or volumes)
before and after the encryption.

As Abrams also points out,
“When encrypting files,
Babuk Locker [uses] a hardcoded extension
and [appends] it to each encrypted file.”
The specific extension currently used is “.__NIST_K571__“.
So,
for example,
if you have a file with the name “summary_2020.docx”,
it is transformed into “summary_2020.docx.__NIST_K571__”.
Also,
a ransom note named How To Restore Your Files.txt
(see the image below)
appears in the folders containing encrypted files.
It shows general information about the attack
and instructions to follow for recovering data,
including a link to a Tor page
(remember the .onion domains we talked about a few weeks ago)
to establish negotiation.

RansomNote

Image taken from chuongdong.com.

In addition,
the ransomware operators can reveal the victims’ names in their notes
and demonstrate through images that
they have stolen unencrypted files with data
that they could expose (leak) on the Dark Web,
specifically on a hacker forum,
in case no agreement is reached.
It seems that the subjects behind this Babuk Locker project
do not currently have their own leak site
(that could be launched soon,
says Abrams).
So,
for now,
they only resort to the forum
to publish stolen data.

When both parties are chatting on the Tor site,
the criminals start with two questions:
“Are you a recovery company?”
and “Do you have insurance against ransomware programs?”
Then,
before discussing prices,
they ask the victim for some files
(less than 10MB)
he/she wants to recover
and subsequently request the ecdh_pub_k.bin file,
where they can get the victims’ public ECDH key
that allows them to perform the decryption test.
By this,
they perhaps intend to demonstrate that
this is a serious matter
and that they are the party who calls the shots.

You should be aware of Babuk Locker

Babuk Locker has already affected some companies
(mainly manufacturers) ‘worldwide,’
which seemingly you could count on the fingers of one hand.
(Reviewing the article by Amigo-A,
this ransomware had already shown activity since last December,
and it appears that the first known victim was an Italian company.)
Babuk operators have established a pay range for the systems’ release
between $60,000 and $85,000 in Bitcoin.
In fact,
it was this higher value
that one of the victim companies apparently agreed to pay,
being the only one that has decided to do so,
at least as reported until last week.

Based on O’Donnell’s words,
the number of ransomware attacks continues to grow,
“jumping by 350 percent since 2018.”
One of the most affected has been the healthcare sector,
and how could it not be,
when,
amid a COVID-19 pandemic,
its work has increased considerably,
and its workers may show difficulties in concentration.
The latter is a factor that many cybercriminals exploit nowadays.
They send emails with files
that some of your employees or coworkers may not think twice before opening.
Babuk Locker,
the 32-bit .exe file,
is another ransomware to add to the list,
and everyone in your company should be aware of it!