New Years ransomware news came early this year, when various media platforms began reporting the discovery of Babuk Locker, the newest ransomware variant to target corporations by encrypting files across network-connected devices andextorting ransom payments. For those hoping to see new ground broken in ransomware technology, Babuk Locker would have come as a disappointment. The code, its execution, the ways the operators communicate with victims and the threats to the stolen data have been labeled unprofessional. This does not mean that the malware is harmless; in fact, the opposite is true.
Babuk Locker was discovered only a few days after most of the West celebrated the new year, but those behind the ransomware had already snatched up a few victims. Victims included an elevator and escalator company, an office furniture manufacturer, a car parts manufacturer, a medical testing products manufacturer and an air conditioning and heating company based in the U.S.
We can thank computer science student Chuong Dong for the analysis; Dongs work is the best resource on Babuk Locker currently available to the InfoSec community. According to Dongs analysis, while the ransomware is fairly standard in terms of what it does and how it does it, the operators have included several common tactics that made strains like Sodinokibi and Ryuk surge in terms of successful infections. Such tactics include the double extortion tactic, hyperthreading and the ability to encrypt files across a victims network. Lets look at each in turn, and how Babuk Locker implements these tactics.
This has been, perhaps, the single most dominant trend in ransomware for the past year. Last year, at about the same time, the Maze ransomware gang (who have now opted for early retirement) began threatening to release stolen data before encryption of data was executed. The threats were soon followed by the gang releasing the data via a data leak site, accessible by other threat actors via a Tor browser. This became known as the double extortion tactic, and has seen wide adoption by almost all the major ransomware gangs targeting large corporate and government networks.
The tactic became synonymous with gangs classified as human-operated ransomware gangs; the term describes ransomware operators who use manual tools to gain access to a network, and slowly increase their network privileges until they can manually execute the malwares encryption protocols for the greatest effect on the target network. The double extortion tactic is an evolution of the human-operated trend. Recently, the tactic has evolved further to include gangs hiring call centers to cold-call victims and pressure them to pay the ransom.
Based on current research, Babuk operators have not gone so far as to cold-call victims; however, they have threatened to release and have released data belonging to victims. Rather than releasing data via a dedicated leak site, the ransomwares operators posted on underground hacker forums announcing, and then releasing, data of victims who refused to pay. Babuk does have a website, but this is used to communicate with victims and negotiate ransom payments. Here, one might view the operation as amateurish, in that all victims communicate via the same text channel so that everyone can see past communication between victims and the attacker.
When ransomware was in its infancy, it tended to only encrypt files locally; that is to say, only files on the infected machine could be encrypted so that the user could not access them. In modern networks, files are shared across the network so that the business can operate. It was only a matter of time before hackers realized that these shared network resources could be encrypted, too, and could effectively halt daily operations. Large organizations like Travelex, according to reports, paid the Sodinokibi gang over $2 million USD when their network was struck in this fashion, and forced the company to suspend many of its services.
Babuk Locker ransom demand message:
Babuk is capable of targeting files across the network through the use of command-line instructions that allow the malware to search across the network for shared resources. The command can also encrypt only local files. If the attacker successfully compromises a network-connected machine with high enough administrative privileges, it can be safely assumed that the attacker will look to encrypt files across the network, as this will cause more damage. The malware uses a combination of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve DiffieHellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. This means that, barring a major mistake by the malwares developers, the encryption is solid with no apparent way to decrypt files without the decryption key. This forces victims to either pay or restore from backups. The likelihood that a free decryptor will be released anytime soon is slim.
To further complicate recovering from Baduk Locker, the malware will do several things to help speed up and smooth the encryption process. But, first, before encryption begins, the malware looks for shadow copies and deletes them. Shadow copies are used to help create restore points if something critical happens to the machine so that important data isnt lost; deleting these makes recovery harder for those impacted by a Baduk attack. The malware will also terminate services that prevent file manipulation or alterations, including services associated with security suites that may prevent the malware from doing what it is intended to do.
The list of services targeted includes: vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup, YooIT, zhudongfangyu, sophos, stc_raw_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, veeam, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, AcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc.
Files encrypted by Babuk Locker:
Lastly, if files are in use, they cannot be encrypted not ideal for an attacker looking to encrypt as much as possible to guarantee that daily operations are stopped. To do this, Baduk Locker will terminate running processes that are used to run certain file types that businesses and government organizations rely on.
The processes terminated include: sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe.
The act of encrypting files is a noisy affair, and when done en masse, its a key indication that something is wrong. Ransomware operators know this, and often choose to encrypt data when the business is quiet, slow or closed for the day. This is done in the hopes that no one is working; no one will notice and shut down the servers if something appears wrong. This information is gained by compromising the network days or weeks in advance of the attack and encryption process. This is one of the reasons why the final phase of the attack is usually done over weekends, and often in the early hours of the morning.
Other than relying on early hours best left for sleep, hackers have several tricks to make the encryption process go off smoothly. The speed at which files can be encrypted is an advantage, and to achieve this, hackers will abuse a machines hyperthreading capability. Modern CPUs have several cores stacked on top of one another to make processing faster. Each core acts like its own mini processor; the more you have the more tasks can be processed simultaneously. Hackers will use the CPUs hyperthreading ability to encrypt files faster. In practice, hyperthreading, when abused by hackers, is done to process various types of data. That which is easily encrypted is done on one thread, while larger, more complex data is sent to another thread for encryption. This drastically improves encryption efficiency, and reduces the overall time taken.
Babuk takes advantage of hyperthreading by first evaluating the number of CPU cores on the victims machine. Then, it creates a data structure to handle the threads. Dong points out that this method has several flaws, stating,
The first problem with this approach has to do with threads concurrency in an OS. A huge amount of threads can potentially be created for each process. However, in an ideal situation, its better to have one thread running per processor to avoid having threads competing with each other for the processors time and resource during encryption.However, that, by itself, is not that big of a problem if the author implemented a queue-like structure to process encrypting requests to utilize 100% of the victims processing power. Unfortunately, they decided to only spawn one encrypting thread per existing drive.
As theres likely to be more drives than threads created by the malware, Babuk cannot create as many threads as needed to speedily encrypt the targeted data. The malware then reverts to older, less efficient means of traversing through folders to encrypt data. If the malware can create the required number of threads to match the number of drives on the victims machine, the encryption will be a more efficient affair. Researchers will be quick to point out this flaw; however, for those already a victim of Babuk Locker, such discussions will be of little comfort.
Babuk Locker has already proved capable of creating corporate victims, and ransom demands have topped $80,000 USD. This amount is smaller than the take from some of the worlds most dangerous ransomware gangs, but it is not insignificant. While it can be successfully argued that the current version of Babuk Locker is not as efficientand well-coded as other ransomware examples, it still poses a clear danger to business and government networks.
Recent Articles By Author
Read the rest here:
Babuk Locker: Mediocre, But Gets the Job Done - Security Boulevard
- Tor Browser Has a New WebTunnel Feature to Avoid Censorship - How-To Geek - March 14th, 2024 [March 14th, 2024]
- The CIA Is Now Trying to Recruit Russian Spies On Telegram - TIME - May 18th, 2023 [May 18th, 2023]
- Dark Web Alerts: Identifying Criminal Data Exposure on the Dark Web - Security Boulevard - May 18th, 2023 [May 18th, 2023]
- Mullvad aces security audit with this new privacy tool - TechRadar - May 18th, 2023 [May 18th, 2023]
- Billions of Google Chrome users warned to avoid browser over red alert privacy concerns check your sett... - The US Sun - May 18th, 2023 [May 18th, 2023]
- How the decision on Space Command's home will be made - POLITICO - May 18th, 2023 [May 18th, 2023]
- Bitcoin Mixers: Clearnet vs. Darknet Which Offers Greater Anonymity? - Crypto Mode - April 27th, 2023 [April 27th, 2023]
- Matt Taibbi: Report on the Censorship-Industrial Complex - Scheerpost.com - April 27th, 2023 [April 27th, 2023]
- The Ultimate 2023 Guide to The Tor Browser Explained - Pixel Privacy - January 31st, 2023 [January 31st, 2023]
- What is Tor & How Do You Use It? Microsoft 365 - January 17th, 2023 [January 17th, 2023]
- Improving privacy when browsing web: Alternative browsers and chrome extensions - HackRead - October 19th, 2022 [October 19th, 2022]
- Tor Browser Bundle - Free download and software reviews - CNET Download - October 11th, 2022 [October 11th, 2022]
- Hacktivists seek to aid Iran protests with cyberattacks and tips on how to bypass internet censorship - CNBC - October 11th, 2022 [October 11th, 2022]
- This security firm claims to have the right tool for your privacy, and it's not a VPN - TechRadar - September 15th, 2022 [September 15th, 2022]
- A VPN Isn't the Only Way to Change Your IP Address - CNET - September 11th, 2022 [September 11th, 2022]
- Hi, I'll be your ransomware negotiator today but don't tell the crooks that - The Register - August 6th, 2022 [August 6th, 2022]
- Rewards for Justice Reward Offer for Information on Russian Interference in U.S. Elections - United States Department of State - Department of State - July 29th, 2022 [July 29th, 2022]
- How Tor Is Fightingand BeatingRussian Censorship - WIRED - July 29th, 2022 [July 29th, 2022]
- What Is Incognito Mode And Should You Be Using It? - Forbes - July 29th, 2022 [July 29th, 2022]
- TOR Browser - Onion VPN on the App Store - July 17th, 2022 [July 17th, 2022]
- Tor Browser now bypasses internet censorship automatically - BleepingComputer - July 17th, 2022 [July 17th, 2022]
- The dangers of the dark web: being safe online - Open Access Government - July 13th, 2022 [July 13th, 2022]
- Tor vs VPN: Which One Should You Use? - Dignited - June 30th, 2022 [June 30th, 2022]
- Rewards for Justice Offers Up to $10 Million for Information on Foreign Interference in US Elections - HS Today - HSToday - June 30th, 2022 [June 30th, 2022]
- Kremlin tightens control over Russians' online lives threatening domestic freedoms and the global internet - Jacksonville Journal-Courier - June 30th, 2022 [June 30th, 2022]
- Defence in Amanda Todd 'sextortion' trial zeroes in on missing data - The Tri-City News - June 30th, 2022 [June 30th, 2022]
- Now that 'Roe' has been overturned, it's up to the tech industry to protect our data - Fast Company - June 30th, 2022 [June 30th, 2022]
- QAnon Is Celebrating the Return of Its Leader After 18 Months of Silence - VICE - June 30th, 2022 [June 30th, 2022]
- 3 ways to find out if your passwords are being sold on the Dark Web - Komando - June 22nd, 2022 [June 22nd, 2022]
- EXPLAINER: EFCC 'Linked Naira Marley to the Dark Web'. Here's What You Need to Know About the Internet's Most Hidden Part - FIJ NG - June 11th, 2022 [June 11th, 2022]
- What is the Dark Web? - AOL - May 28th, 2022 [May 28th, 2022]
- Cookie Banners Can Be AnnoyingHere's How To Block Them - WRAL News - May 28th, 2022 [May 28th, 2022]
- DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers - The Register - May 28th, 2022 [May 28th, 2022]
- Proton VPN Secure Core: what it is and when you should use it - TechRadar - May 28th, 2022 [May 28th, 2022]
- How to Download & Install Tor Browser in Windows 10 - May 7th, 2022 [May 7th, 2022]
- How to Unblock a Webpage from Behind a Firewall - Beebom - May 7th, 2022 [May 7th, 2022]
- Download Tor Browser For Windows & MAC (Offline Installer) - May 1st, 2022 [May 1st, 2022]
- Tor Browser - Dark Web Portal Exposed | Dark Web Wiki - May 1st, 2022 [May 1st, 2022]
- Top 10 dark web links & Tor websites for 2022 - Surfshark - May 1st, 2022 [May 1st, 2022]
- How to Install the Tor Browser on a Chromebook - May 1st, 2022 [May 1st, 2022]
- How to Anonymous access to the dark web with Tor - BollyInside - May 1st, 2022 [May 1st, 2022]
- How to Change the Tor Browser Language - How-To Geek - April 29th, 2022 [April 29th, 2022]
- Bites of Life: Shining Light on the Dark Web - Macalester College The Mac Weekly - April 29th, 2022 [April 29th, 2022]
- How to protect against the weakest link in cybersecurity THE USERS - Security Boulevard - April 29th, 2022 [April 29th, 2022]
- What Is Dark Social and Why It Matters - Legal Talk Network - April 29th, 2022 [April 29th, 2022]
- IP bans - why they happen and how to prevent them - Oneindia - April 29th, 2022 [April 29th, 2022]
- Deep Web Tor Browser - Tor Links - Onion Links (2022) - April 20th, 2022 [April 20th, 2022]
- How to Install and Use the Tor Browser on Linux - April 20th, 2022 [April 20th, 2022]
- The Best VPN for Binance 2022 [How to Use Binance With a VPN] - Cloudwards - April 20th, 2022 [April 20th, 2022]
- Three tactics for security providers in the age of Dark Web collaboration - SecurityInfoWatch - April 20th, 2022 [April 20th, 2022]
- Simple way to Install Tor Browser in Rocky Linux 8 - Linux Shout - March 17th, 2022 [March 17th, 2022]
- Laptop in Veltman apartment had what appeared to be 'hate-related material': docs - Lethbridge News Now - March 17th, 2022 [March 17th, 2022]
- How to Access Blocked Websites anywhere and for Free - BollyInside - March 17th, 2022 [March 17th, 2022]
- Download Tor Browser for Mac - Free - 10.0 - Digital Trends - March 11th, 2022 [March 11th, 2022]
- Open in Tor Browser Get this Extension for Firefox (en-US) - March 11th, 2022 [March 11th, 2022]
- Use Brave Private Browsing with Tor to Hide IP Address - OSXDaily - February 21st, 2022 [February 21st, 2022]
- Are Crypto Transactions More Transparent Than Wire Transfers? - InvestingCube - February 21st, 2022 [February 21st, 2022]
- The Truth about Dark Web Is It Really Dangerous? - Crypto Mode - February 21st, 2022 [February 21st, 2022]
- Tech-Savvy Professionals Among 22 Arrested In Dark Web Narcotics Operation - NDTV - February 15th, 2022 [February 15th, 2022]
- Download Tor Browser for Windows - Free - 11.0.3 - February 1st, 2022 [February 1st, 2022]
- Tor Project heads to Russian court to appeal against censorship - The Daily Swig - February 1st, 2022 [February 1st, 2022]
- Firefox Monitor may remove personal information now from the Internet - Ghacks Technology News - December 9th, 2021 [December 9th, 2021]
- The Real Russia. Today. Reining in an unruly Communist Party Meduza - Meduza - December 9th, 2021 [December 9th, 2021]
- See the stunning mansion Josh Duggar is calling home during his child pornography trial ahead of possible... - The US Sun - December 9th, 2021 [December 9th, 2021]
- Whats the Difference Between the Deep Web and the Dark Web? - How-To Geek - December 9th, 2021 [December 9th, 2021]
- How to Access the Dark Web Complete Guide? - The Bulletin Time - December 7th, 2021 [December 7th, 2021]
- Theres More to Threat Intelligence Than Dark Web Monitoring - Security Boulevard - November 25th, 2021 [November 25th, 2021]
- You have to work on this through the routeras options diet plan, as some items immediately restore previous setup after a forced reboot - ADOTAS - November 25th, 2021 [November 25th, 2021]
- What is Tor (Browser) & How does it work? | CyberNews - November 23rd, 2021 [November 23rd, 2021]
- Privacy-Protective Internet Browser Tor Is Running Low on Servers - Gizmodo - November 23rd, 2021 [November 23rd, 2021]
- Yes, the Internet has become safer but a VPN is still needed - TechGenix - November 19th, 2021 [November 19th, 2021]
- Scots businessman caught with the 'most serious' category of child abuse images jailed - Scottish Daily Record - November 19th, 2021 [November 19th, 2021]
- Anna and Josh Duggar welcomed daughter Madyson Lily on October 23, their 7th child * starcasm.net - Starcasm - November 17th, 2021 [November 17th, 2021]
- Tor Browser (Alpha) 11.0.9 Download | TechSpot - November 5th, 2021 [November 5th, 2021]
- US government offers $10 million bounty for information on Colonial Pipeline hackers - The Verge - November 5th, 2021 [November 5th, 2021]
- The Tor Browser: What is it and why would you use it ... - October 24th, 2021 [October 24th, 2021]
- Tor Explained: What is Tor? How Does It Work? Is It Illegal? - October 21st, 2021 [October 21st, 2021]
- Alternatives to Using a VPN That Provided Excellent Anonymity While Online - TechBullion - October 21st, 2021 [October 21st, 2021]
- Slicing open The Onion Router (Tor) with no tears - ComputerWeekly.com - October 19th, 2021 [October 19th, 2021]
- What is the dark web? - fox4kc.com - October 19th, 2021 [October 19th, 2021]