Babuk Ransomware has turned out to be one of the most successful ransomware campaigns to hit organizations in 2021. At least five organizations confirmed to have been breached by the newly discovered strain in mid-Jan — and one is known to have paid as much as $85,000 to the criminals.
McAfee’s Advanced Threat Research team released new findings into the strategic operations behind this ransomware campaign. In an email interview with Mihir Bagwe of CISO MAG, John Fokker, Head of Cyber Investigations and Principal Engineer, McAfee reveals hitherto unknown findings into how Babuk ransomware spreads, its unique vectors/techniques, and its methods to evade detection.
Prior to joining McAfee, Fokker worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. Through his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps.
Formerly a member of Royal Netherlands Marine Corps, Fokker has spent most of his career on the Special Operations team and was deployed to both Afghanistan and Somalia. During this time, he learnt valuable skills like problem solving and how to think outside-of-the-box which have proved critical in his current role, leading investigations against cyber criminals around the world.
Edited excerpts of the email interview follow:
What were the key findings of your research?
Babuk is the first new Ransomware family of 2021. In spite of being new, they are agile in their development and have high ambitions. Also, it was the first ransomware family that expressed themselves negatively against the BlackLivesMatter (BLM) and LGBT communities.
On doing a deep dive into previous attacks we discovered that this ransomware embeds three different built-in commands to spread itself and encrypt network resources. It checks the services and processes running so it can kill a predefined list and avoid detection.
McAfee’s analysis provides evidence that the adversaries behind Babuk targeted organizations in the transportation, health care, plastics and electronics manufacturing, and agriculture sectors.
With no local language checks embedded in the malware, their code contrasts other ransomware gangs that normally spare devices in specific countries.
Babuk ransomware is known to use new techniques like multi-threading encryption and abuses Windows Restart Manager. Can you shed more light on these techniques as to how they work and what’s different in them than others?
Multi-threading encryption is often applied by threat actors to maximize the speed of encryption. However, the downside of multi-threading is that it is very CPU and process heavy so it can trigger alerts before the encryption is complete.
We believe changing the “SetProcessShutdownParameters” to 0 is done to confront the user with the Ransomware and force the user to perform a reboot of the machine thus erasing any traces that are left in memory.
Has your research team found any more unique vectors/techniques of Babuk ransomware?
Babuk ransomware binary did not include a local language check option, something that is really common amongst other Ransomware Families.
Files are enumerated in the typical way for ransomware, but Babuk has a curious check that other ransomwares do not have — it encrypts a maximum of 16 folders deep, meaning that if one folder has 17 or more subfolders, the 17th and onward are ignored. This is probably to speed up the encryption process.
Babuk was one of the first ransomware families in 2021 that announced working on a version that could also encrypt Unix/Linux based systems (ESXI and NAS).
What stands out as well with Babuk is the racial and anti-LGBTQ statements in its advertisements.
How does Babuk hide itself and avoid detection?
Babuk itself has relatively simple code structures, for instance the samples we examined were unobfuscated. Given the recruitment specifics for the affiliates we found online, we believe that Babuk is deployed at a stage that the attackers have already gained full control of a victims’ network and have shut down the victims’ security defenses, thus making it less important to build in defense evasion in the code base of the binary.
Do you see a trend emerging where the next generation of Ransomware (and Ransomware gangs) could use some of the same techniques at Babuk ransomware?
This is already happening. Babuk uses very similar techniques as the other big-game ransomware families. The affiliates that perform the actual penetration and exploitation have become very skilled groups that are proficient in compromising a complete network.
Are there any signs of code reuse in Babuk ransomware as we generally see in other ransomware source codes?
We examined that the code similarity between Babuk and other ransomware families that we are tracking; we discovered an 86% overlap with other families including Vasa Locker, even the ransom note showed a high degree of overlap. This relationship can indicate that the group behind Babuk have created their ransomware based on Vasa Locker.
The threat group behind it seems to be targeting multiple sectors. Recent ransomware attacks paint an opposite picture though. They are industry specific and have a clear motivation behind them. What could be Babuk operators’ aim in this case? Are they newbies trying to establish themselves or just targeting larger audiences for better returns?
Babuk, like many other ransomware families, is flexible in its targeting. We don’t believe that the major families are strictly industry specific. This perception mostly lies in the fact that the sectors that are susceptible to being extorted by disclosing stolen data are the attacks that hit the headline news. However, there are far more attacks happening and that shows ransomware gangs largely operate like bull-sharks, attacking anything that moves, or in this case, any organization that is vulnerable and has money.
Are the operators of the Babuk ransomware only going after larger corporations or should smaller organizations also be wary of it?
As McAfee, we would advise every organization to take the threat of ransomware very seriously, even smaller organizations might have a significant revenue and security isn’t always at their top of priority. During our daily research we see many organizations fall victim in situations that could have been avoided with the right pro-active security measures. For instance, using a security solution such as McAfee MVISION Insights, that allows an organization to become action-oriented, and pro-active against cyber threats.
About the Interviewer
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity tech and trends.
Other Interviews from the Author:
- “CISO needs to speak the language which the CIO, CEO, and the Board speaks or understands” – Pawan Chawla
- “Invalidation of the EU-U.S. Privacy Shield was a long time coming” – Robert Meyers
- “COVID-19 is a humanitarian crisis but also emerging as a data security challenge” – Nikhil Korgaonkar
- “Unified solutions could hold the key in enforcing endpoint security policies” – Karmesh Gupta