By Felipe Ruiz | January 14, 2021
A new form of ransomware has emerged to welcome the new year, 2021. We’re referring to the Babuk Locker. A malicious software that is capable of encrypting some of your essential files to deny you access to them, and for which you should pay a ransom. Chuong Dong, a Computer Science student at Georgia Tech interested in cybersecurity, reported it on January 3rd, 2021. (It seems that Dong saw Babuk mentioned in a tweet by Arkbird and, linked to it, finishing this post, I found an earlier article in Russian by Amigo-A published on January 1st, 2021.)
According to Dong, this malware has not been obfuscated (malware obfuscation makes the data or code difficult to understand) and is quite 'standard,' even amateurish in coding. Besides, it uses "techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil" (other forms of ransomware). However, this ransomware’s encryption scheme allows it to stand out, being enough to prevent victims from recovering their systems and files efficiently and for free.
The robust encryption scheme of Babuk Locker, as stated by Dong,
includes "SHA256 hashing, ChaCha8 encryption,
and Elliptic-curve Diffie-Hellman (ECDH)
key generation and exchange algorithm."
SHA256 (SHA: Secure Hash Algorithm) is dedicated to generating
a 256-bit (32-byte) hash value
(we already saw what a hash is
in my first post on
Fluid Attacks' blog).
ChaCha8, on the other hand, is a stream cipher, a better variant of Salsa20.
These ciphers —both developed by professor Daniel J. Bernstein—
encrypt plaintext messages (every bit of the message is encrypted one by one)
by applying an algorithm
with a pseudorandom cipher digit stream or a keystream.
Finally, ECDH constitutes "a key agreement protocol
that allows two parties, each having an elliptic-curve public-private key pair,
to establish a shared secret over an insecure channel."
Undoubtedly, for many of us, it is sufficient with this information
instead of going into encryption details.
Let’s keep an overview of this ransomware currently occupying our attention.
Babuk Locker appears as a 32-bit .exe file (i.e., "BABUK.exe", at least at first), but, as reported by O’Donnell in Threatpost, it is not clear how this malware "is initially spread to victims." It seems, though, that the vehicle of infection, in this case, may not be far from the typical phishing "similar to other ransomware groups' approaches," said Dong. Indeed, for his part, Brendan Smith in Howtofix talks about only two forms of Babuk injection: email spam and trojans.
When the threat actors launch Babuk Locker, they can employ "a command-line argument to control how the ransomware should encrypt network shares and whether they should be encrypted before the local file system," notes Abrams in BleepingComputer. Babuk, following an assigned list, can close or terminate a wide variety of Windows support services (e.g., system-monitoring services) and running processes (e.g., Office apps, mail servers, and web browsers) before encryption. Snuffing out these services and processes is something necessary for successful encryption by the malware. Additionally, Babuk tries to remove shadow copies (i.e., backup copies or snapshots of files or volumes) before and after the encryption.
As Abrams also points out, "When encrypting files, Babuk Locker [uses] a hardcoded extension and [appends] it to each encrypted file." The specific extension currently used is ".__NIST_K571__". So, for example, if you have a file with the name "summary_2020.docx", it is transformed into "summary_2020.docx.__NIST_K571__". Also, a ransom note named How To Restore Your Files.txt (see Figure 2) appears in the folders containing encrypted files. It shows general information about the attack and instructions to follow for recovering data, including a link to a Tor page (remember the .onion domains we talked about a few weeks ago) to establish negotiation.
In addition, the ransomware operators can reveal the victims' names in their notes and demonstrate through images that they have stolen unencrypted files with data that they could expose (leak) on the Dark Web, specifically on a hacker forum, in case no agreement is reached. It seems that the subjects behind this Babuk Locker project do not currently have their own leak site (that could be launched soon, says Abrams). So, for now, they only resort to the forum to publish stolen data.
When both parties are chatting on the Tor site, the criminals start with two questions: "Are you a recovery company?" and "Do you have insurance against ransomware programs?" Then, before discussing prices, they ask the victim for some files (less than 10MB) he/she wants to recover and subsequently request the ecdh_pub_k.bin file, where they can get the victims' public ECDH key that allows them to perform the decryption test. By this, they perhaps intend to demonstrate that this is a serious matter and that they are the party who calls the shots.
Babuk Locker has already affected some companies (mainly manufacturers) 'worldwide,' which seemingly you could count on the fingers of one hand. (Reviewing the article by Amigo-A, this ransomware had already shown activity since last December, and it appears that the first known victim was an Italian company.) Babuk operators have established a pay range for the systems' release between $60,000 and $85,000 in Bitcoin. In fact, it was this higher value that one of the victim companies apparently agreed to pay, being the only one that has decided to do so, at least as reported until last week.
Based on O’Donnell’s words, the number of ransomware attacks continues to grow, "jumping by 350 percent since 2018." One of the most affected has been the healthcare sector, and how could it not be, when, amid a COVID-19 pandemic, its work has increased considerably, and its workers may show difficulties in concentration. The latter is a factor that many cybercriminals exploit nowadays. They send emails with files that some of your employees or coworkers may not think twice before opening. Babuk Locker, the 32-bit .exe file, is another ransomware to add to the list, and everyone in your company should be aware of it!
I hope you have enjoyed this post
and remind you that we’re looking forward to hearing from you
Fluid Attacks. Do get in touch with us!
Corporate member of The OWASP Foundation