1. Home
  2. Software
  3. Babuk

Babuk

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[1][2][3]

ID: S0638
Associated Software: Babyk, Vasa Locker
Type: MALWARE
Platforms: Windows, Linux
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Daniyal Naeem, BT Security
Version: 1.0
Created: 11 August 2021
Last Modified: 13 October 2021
Version Permalink

Associated Software Descriptions

Name Description
Babyk

[1][2][4]
Vasa Locker

[1][2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Babuk has the ability to use the command line to control execution on compromised hosts.[1][2]
Enterprise T1486 Data Encrypted for Impact

Babuk can use ChaCha8 and ECDH to encrypt data.[1][2][5][4]
Enterprise T1140 Deobfuscate/Decode Files or Information

Babuk has the ability to unpack itself into memory using XOR.[1][5]
Enterprise T1083 File and Directory Discovery

Babuk has the ability to enumerate files on a targeted system.[2][4]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Babuk can stop anti-virus services on a compromised host.[1]
Enterprise T1490 Inhibit System Recovery

Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.[1][2]
Enterprise T1106 Native API

Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.[1][2][5]
Enterprise T1135 Network Share Discovery

Babuk has the ability to enumerate network shares.[1]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Versions of Babuk have been packed.[1][2][5]
Enterprise T1057 Process Discovery

Babuk has the ability to check running processes on a targeted system.[1][2][4]
Enterprise T1489 Service Stop

Babuk can stop specific services related to backups.[1][2][4]
Enterprise T1082 System Information Discovery

Babuk can enumerate disk volumes, get disk information, and query service status.[2]
Enterprise T1049 System Network Connections Discovery

Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[2]
Enterprise T1007 System Service Discovery

Babuk can enumerate all services running on a compromised host.[2]

References

  1. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  2. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  3. Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021.
  1. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  2. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.