Babuk Locker Ransomware
First seen in early 2021, Babuk Locker is a human-operated ransomware that appears to be following in the footsteps of larger ransom threats such as Ryuk and Sodinokibi. Whilst Babuk Locker is not as technically advanced as some of these more well-known tools it has appeared in numerous attacks already.
Summary
First seen in early 2021, Babuk Locker is a human-operated ransomware that appears to be following in the footsteps of larger ransom threats such as Ryuk and Sodinokibi. Whilst Babuk Locker is not as technically advanced as some of these more well-known tools it has appeared in numerous attacks already.
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
VMWare ESXi Versions: all supported
Threat details
Introduction
Babuk Locker (or Babuk in some forums) is a newly observed human-operated ransomware targeting businesses worldwide. Despite appearing to be amateurishly constructed, its encryption functions are well-implemented, and it has already impacted a large number of organisations.
Delivery
At the time of publication, it is unclear what attacks vectors Babuk Locker's operators are using to distribute it, or even what criteria they have for identifying targets. Unconfirmed reports indicate they may be exploiting exposed RDP services to gain initial access to target networks.
Babuk Locker infections appears to be customised, with the malware binary containing hard-coded information related to each target.
Activities
Once deployed, Babuk Locker will attempt to terminate various security and recovery services as well as database, browser and email programs. It then encrypts all non-system files on local and network drives using a ChaCha8 implementation, the keys for which are then encrypted using a custom elliptic-curve Diffie-Hellman implementation thought to be based on several components published by the US' National Institute of Standards and Technology.
Threat updates
| Date | Update |
|---|---|
| 5 May 2021 |
Babuk operators announce plans to remove encryption portion of their malware
Babuk operators have released two messages stating their intention to change their malware business model. In the first message entitled “Hello World 2”, the announcement said that they were closing their project and that source codes would be made publicly available as open source Ransomware-as-a-Service. The following day, “Hello World 2” was taken down and replaced with “Hello World 3”. In that note, their intentions were further clarified as to future of Babuk – they plan to remove the encryption portion of their malware and concentrate on the extortion side of exfiltrating data. |
| 12 Feb 2021 |
New version observed
A new version of Babuk Locker has been observed that appends the extension .babyk to encrypted filenames. The indicators of compromise in this article have been updated. |
| 4 Feb 2021 |
VMWare ESXi Targeting
The threat actor controlling Babuk Locker has recently been observed exploiting vulnerabilities in VMWare ESXi to shut down virtual machines and encrypt virtual storage devices directly on the hypervisor. Once initial access has been gained to a network, malicious Service Location Protocol (SLP) messages are sent to take control of the ESXi device. VMWare ESXi administrators should ensure that all recent security updates have been applied. Service Location Protocol (SLP) may also be disabled to help prevent a successful attack, if not required. |
Remediation advice
If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To limit the impact of a ransomware infection, NHS Digital advises that:
- Critical data is frequently saved in multiple backup locations.
- At least one backup is kept offline at any time (separated from live systems).
- Backups and incident recovery plans are tested to ensure that data can be restored when needed.
- User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
- Infected systems are disconnected from the network and powered down as soon as practicable.
- Any user account credentials that may have been compromised should be reset on a clean device
- Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.
Additionally, to prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Definitive source of threat updates
Last edited: 5 May 2021 5:41 pm