The world of cybersecurity is constantly evolving, with new threats appearing seemingly every day. One of the latest code chaos to wreak havoc is the Babuk ransomware mutation, causing chaos in the digital world.
This dangerous ransomware strain has been spreading rapidly, targeting both individuals and businesses alike, encrypting their files and demanding ransom payments in exchange for decryption keys. In this article,
From its origins to its latest attack methods, we’ll take a closer look at the Babuk ransomware mutation and what you need to know to protect yourself against it. We’ll also explore the ins and outs of this deadly cyber threat and provide you with practical tips on how to safeguard your systems and data.
What is Babuk Ransomware?
Babuk Ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in exchange for the decryption key.
Emerging in early 2021, Babuk Ransomware1 quickly gained notoriety for targeting large organisations across various sectors, employing advanced encryption techniques and demanding significant ransom payments in exchange for the safe return of encrypted data.
Babuk Ransomware is unique due to its file encryption mechanisms, which utilise a combination of ChaCha8 and Elliptic-curve Diffie-Hellman (ECDH) algorithms to secure victims’ files with an impenetrable layer of cryptography.
How the Mutation Works
The latest mutation of Babuk ransomware utilises the HC-128 algorithm2, a stream cypher that generates high-speed pseudorandom numbers for more efficient encryption. Using this algorithm, the attackers can encrypt files at an accelerated pace while maintaining strong security measures.
Additionally, the new variant incorporates several other enhancements to its encryption process; for instance, it appends a random extension to encrypted files instead of using fixed strings like earlier versions did.
In tandem with its enhanced encryption capabilities, the mutated Babuk ransomware employs double extortion tactics to maximise leverage over victims.
First, it encrypts critical data on the compromised system; then, it steals sensitive information before initiating the encryption process. The stolen data is typically exfiltrated by deploying additional tools or leveraging existing access points within the victim’s network infrastructure.
Once in possession of this valuable information, the attackers threaten to publicly release or sell it unless their demands are met—usually involving payment in cryptocurrency as ransom.
Thus, victims face potential financial loss from disrupted operations due to inaccessible encrypted data and reputational damage resulting from the disclosure of stolen information if they refuse to comply with attacker demands.
Bad Actors Behind the Mutations
The bad actors have been identified as primarily Russian-speaking hackers3 known to operate under various aliases on dark web forums, with the latest one being known as “Wazawaka” and “Boriselcin”.
These hackers have demonstrated prior involvement in other ransomware strains, including Hive and LockBit. The possible motivations for their attacks range from financial gain to geopolitical influence.
For instance, the Washington D.C. Metropolitan Police Department4 experienced a high-profile attack in April 2021 that led to the exfiltration of sensitive information related to police officers and ongoing investigations.
However, apprehending those responsible remains elusive at best due to the dynamic nature of cybercrime networks and the challenge posed by jurisdictional boundaries in cyberspace investigations.
Variants of Ransomware That Emerged From Babuk Source Code
Conti POC
The Conti Proof-of-Concept or POC has been identified as one of the ransomware families that adopted the Babuk source code, according to a report published by SentinelOne5.
Conti’s modus operandi6 typically involves an initial compromise through phishing emails or vulnerable remote desktop protocols (RDP), followed by rapid lateral movement across the network using Windows Management Instrumentation (WMI) commands.
The targeted sectors for this ransomware variant include healthcare institutions, educational establishments, logistics companies, and governmental organisations.
In May 2022, Costa Rica7 was hit by a ransomware attack by the Conti hacking group that has escalated fears for smaller nations. The country’s Finance Ministry was the first to be targeted in April, and the number of institutions affected has since grown to 27.
The group demanded a $20 million ransom and has warned that it plans to overthrow the government. Costa Rican government, however, remains defiant and has refused to pay the ransom.
DATAF Locker Variant
This strain of Babuk ransomware primarily targets large organisations, focusing on those that provide essential services such as healthcare, finance, and transportation.
The DATAF LOCKER8 ransomware virus encrypts files and demands a ransom for access recovery. It creates a text file containing the ransom note, threatening to leak stolen content unless a ransom is paid.
Decryption is rarely possible without the attackers’ involvement, so it is advised not to meet the ransom demands.
The ransomware must be eliminated from the operating system to prevent it from encrypting more files. Victims could recover compromised data from a backup if made beforehand and stored elsewhere.
Play
The mechanism behind the Play ransomware9 variant involves exploiting unpatched Exchange servers that have URL rewrite mitigations for the Autodiscover endpoint. This exploit chain uses vulnerabilities CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution through Outlook Web Access, bypassing blocking rules.
Microsoft addressed the flaws in November 2022 and has urged customers to prioritise installing its Exchange Server updates. Asylum Ambuscade, the threat actor, straddles cybercrime and cyber espionage, with Vietnamese banking targets among their primary targets.
Rackspace has confirmed that the Play ransomware gang is responsible for a recent breach. The mechanism targets unpatched Exchange servers with URL rewrite mitigations in place for the Autodiscover endpoint. T
Other Prominent Variants10
- LOCK4
- Mario
- Babuk 2023
Protecting Your Organisation from Babuk Ransomware
First, ensure your organisation’s software and operating systems are up-to-date with the latest security patches. This will help to prevent any vulnerabilities in your system that Babuk ransomware could exploit.
Second, backup all important data regularly and store it off-site or in the cloud. This will ensure that if your organisation falls victim to a ransomware attack, you have a copy of your data that can’t be held for ransom.
Third, educate your employees about the risks of ransomware and how to avoid it. This includes not clicking on suspicious links or opening attachments from unknown sources. Encourage employees to report any suspicious emails or activity to your IT department immediately.
Finally, consider investing in anti-ransomware software like Malwarebytes. This software is designed to detect and prevent ransomware attacks before they can do any damage. It’s an extra layer of protection that can give you peace of mind and help keep your organisation safe from Babuk ransomware and other threats.
At Grayscale, we understand the importance of protecting your organisation from ransomware attacks. We offer a range of solutions designed to help you keep your data safe and secure, including anti-ransomware solutions and cybersecurity awareness training for your employees.
Contact us today at enquiries@grayscale.my to learn more about how we can help protect your organisation from Babuk ransomware.