The Sogeti CERT ESEC Threat Intelligence (CETI) team has analyzed the activities of the Babuk ransomware operators and described how quickly this new group has adapted to single, double and even triple extortion.
Just as quickly, Babuk’s operators moved to a ransomware-as-a-service business model by hiring partners in clandestine Russian-language forums.
Unlike other ransomware groups, Babuk members post advertisements in English on popular hacking forums. The Babuk malware also lacks the so-called “Kill Switch” security measure, which is typically triggered when it detects the default installed Commonwealth of Independent States (CIS) languages on targeted devices.
The hackers set up their own data breach site to publish stolen information from victims as part of a double extortion strategy. The criminals have also published a list of companies and organizations that they will not attack, with some exceptions in the form of charities helping BLM and LGBT people.
The new ransomware comes without any source code obfuscation mechanisms. However, the grouping uses a strong encryption scheme that is almost impossible to break. The hackers use Chacha8’s homemade SHA256 algorithm for encryption and protect the keys with ECDH. Babuk can accept additional command line parameters during installation. If no parameters are specified, then only local drives will be encrypted.
Babuk operators have already attacked healthcare organizations, banks, retailers and transportation companies. According to McAfee, the attacks affected companies and organizations in Israel, the United States, India, Luxembourg, Italy, Spain, South Africa, the United Arab Emirates, the United Kingdom, China and Germany.
According to experts, criminals use spoken English to communicate on underground forums. Presumably, they are not native English speakers, as specialists have identified several spelling errors and non-native expressions.
The ransom amounts range from $ 60,000 to $ 85,000, and at least one victim agreed to pay the highest amount. Each sample Babuk ransomware is specifically customized for the victim with a ransom note and a URL link pointing to a chat to negotiate a payment.
Researchers estimate that if the new group continues their targeted attacks at such a rapid pace, Babuk could become a serious threat, just like Egregor, which many Maze affiliates have taken over.