Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[1][2][3]

ID: S0638
Associated Software: Babyk, Vasa Locker
Platforms: Windows, Linux
Contributors: Hiroki Nagahama, NEC Corporation; Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Daniyal Naeem, BT Security
Version: 1.0
Created: 11 August 2021
Last Modified: 13 October 2021

Associated Software Descriptions

Name Description


Vasa Locker


Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Babuk has the ability to use the command line to control execution on compromised hosts.[1][2]

Enterprise T1486 Data Encrypted for Impact

Babuk can use ChaCha8 and ECDH to encrypt data.[1][2][5][4]

Enterprise T1140 Deobfuscate/Decode Files or Information

Babuk has the ability to unpack itself into memory using XOR.[1][5]

Enterprise T1083 File and Directory Discovery

Babuk has the ability to enumerate files on a targeted system.[2][4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Babuk can stop anti-virus services on a compromised host.[1]

Enterprise T1490 Inhibit System Recovery

Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.[1][2]

Enterprise T1106 Native API

Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.[1][2][5]

Enterprise T1135 Network Share Discovery

Babuk has the ability to enumerate network shares.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Versions of Babuk have been packed.[1][2][5]

Enterprise T1057 Process Discovery

Babuk has the ability to check running processes on a targeted system.[1][2][4]

Enterprise T1489 Service Stop

Babuk can stop specific services related to backups.[1][2][4]

Enterprise T1082 System Information Discovery

Babuk can enumerate disk volumes, get disk information, and query service status.[2]

Enterprise T1049 System Network Connections Discovery

Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[2]

Enterprise T1007 System Service Discovery

Babuk can enumerate all services running on a compromised host.[2]