michelangelus - Fotolia

Babuk ransomware unsophisticated, but highly dangerous

Intelligence gathered through McAfee’s Mvision service reveals more insight into the emerging Babuk ransomware

Despite some clear shortcomings, the rapidly emerging Babuk ransomware is becoming a serious threat aimed at carefully selected verticals, including healthcare, manufacturing and logistics, and is already netting thousands of dollars in ransom payments, according to new insight generated through McAfee’s Mvision service.

To date, Babuk is known to have hit five organisations with double extortion ransomware attacks – prominent among them outsourcer Serco – and to have made at least $85,000 from its victims. Like many others, it operates on a ransomware-as-a-service (RaaS) model, where affiliates do the dirty work while its developers get a cut of the take.

Although not the most sophisticated of ransomwares – one researcher described its coding as distinctly amateurish – of particular note is a clear connection to the Vasa Locker group, with Babuk’s codebase and dropped artefacts (such as ransom notes) bearing some similarities, suggesting links between both ransomwares and probably the teams behind them.

McAfee assessed that these similarities, plus a fairly bog-standard encryption function, a number of obvious bugs and lack of obfuscation, suggest that the Babuk group has “limited ransomware coding experience”. Nor does it appear to contain any local language checks – other ransomwares often tend to avoid devices they find to be located in Russia or other former Soviet states.

However, things are developing rapidly, said the research team, and in the past few weeks a new variant has been spotted, improving some aspects of the ransomware’s performance, and a packed version has also been found.

In terms of their modus operandi, the cyber criminals behind Babuk are using similar tactics, techniques and procedures (TTPs) as other RaaS families, said McAfee.

These include exploiting a variety of popular entry vectors into their target environments. These can include: email phishing where the initial email is linked to a different malware strain – Trickbot or, until recently, Emotet, as examples – that act as a loader; exploiting publicly disclosed but unpatched common vulnerabilities and exposures (CVEs), particularly in remote access software, web servers, network edge hardware and firewalls; and breaking in using valid accounts, often via weakly protected remote desktop protocol (RDP) access with credentials obtained via commodity infostealers, for example.

In its full report on Babuk, which can be downloaded here, the McAfee team noted a number of further points that defenders should be aware of.

Notably, its recruitment advertisements specifically seek individuals with penetration testing skills, so security teams should be alert for any traces or behaviours correlating with some of the open source penetration testing tools, such as winPEASE, Bloodhound and SharpHound, or hacking frameworks such as Cobalt Strike or Metasploit.

It may also be worth keeping an eye on unexpected behaviour from non-malicious tools that may have a dual use, such as ADfine, PSExec or PowerShell.

Also, as previously reported, although the Babuk gang say they exclude certain types of organisation from their attacks, such as charity sector organisations, they do express negative sentiment towards LGBTQ+ organisations, or those associated with Black Lives Matter.

Explicit indicators of homophobic and racist sentiment not only provide a clue that Babuk is operated out of a repressive jurisdiction, but have not really ever been seen before from cyber criminal gangs, noted McAfee. As this is a new development, defenders working for, or on behalf of, organisations associated with movements for social justice should therefore be particularly vigilant.

Next Steps

Ransomware: Has the U.S. reached a tipping point?

Read more on Hackers and cybercrime prevention